hacking fingerprint recognition systems - ccc event blog · hacking fingerprint recognition systems...
TRANSCRIPT
![Page 1: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/1.jpg)
23. Chaos Communication Congress
hacking fingerprint recognition systems
(can I buy you a beer)
![Page 2: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/2.jpg)
23. Chaos Communication Congress
overview
● introduction
● collecting fingerprint data
● attacking the communication● attacking the templates● attacks using the sensor
![Page 3: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/3.jpg)
23. Chaos Communication Congress
parts of biometric systems
parts of biometric systems
sensor
biometric application
preprocessing
feature extraction
matching
data
base
![Page 4: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/4.jpg)
23. Chaos Communication Congress
parts of biometric systems types of attacks
● attacking the data – communication data (1)– reference data (2)
● attacking the software (3)– matcher– threshold
● attacks using the sensor (4)parts of biometric systems
sensor
biometric application
preprocessing
feature extraction
matching
data
base
(1)
(2)(3)
(4)
![Page 5: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/5.jpg)
23. Chaos Communication Congress
skin
profile of the finger
![Page 6: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/6.jpg)
23. Chaos Communication Congress
skin sensors
Marie Sandström
optical sensor
capacitive sensor
profile of the finger
![Page 7: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/7.jpg)
23. Chaos Communication Congress
skin sensors features
Marie Sandström
optical sensor
capacitive sensor
profile of the finger
minutias
sweat pores
![Page 8: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/8.jpg)
23. Chaos Communication Congress
collecting the data
![Page 9: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/9.jpg)
23. Chaos Communication Congress
visualisation of latent prints on glossy surfaces
● coloured or magnetic powder
● cyanoacrylate
● vacuum metal deposition
visualisation with coloured powder
visualisation with cyanoacrylate
visualisation with sputtered gold
![Page 10: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/10.jpg)
23. Chaos Communication Congress
visualisation of latent prints on paper
● amino acid indicator– Ninhydrin– Iodide
● thermal decomposition of grease
visualisation with Ninhydrin
visualisation of grease
![Page 11: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/11.jpg)
23. Chaos Communication Congress
sniffing the communication
● Hardware – USBAgent / USB Tracker– directly connected to the sensor– GNURadio
● Software – usbsnoop– sniffusb– usbmon
www.hitex.comUSBAgent
usbsnoop
![Page 12: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/12.jpg)
23. Chaos Communication Congress
data analysis
● collecting public information● analysing the sensor
● type of data– raw vs. templates
● encryption● header
– timestamps– checksums
USBsniff of the Siemens ID Mouse
![Page 13: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/13.jpg)
23. Chaos Communication Congress
sniffing the data @ thinkpad sensor
● direct sniffing not possible– hardware: builtin sensor– software: encrypted data (TPM?)
● external version of the sensor
http://www8.ibm.com/lenovoinfo/fingerprint/i/usb_fpr.gif
USBsniff of the Thinkpad sensor
external IBM sensor
![Page 14: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/14.jpg)
23. Chaos Communication Congress
templates
● localisation– in the filesystem (filemon)– in the registry (regmon)
● analysing– template to user correlation– used algorithms– checksums– raw images
![Page 15: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/15.jpg)
23. Chaos Communication Congress
templates @ thinkpad sensor
– HKEY_LOCAL_MACHINE\SOFTWARE\Virtual Token\Passport\2.0
● \LocalPassport\User <Username>● \LocalPassportBio
● C:\WINDOWS\system32\config\SOFTWARE● template starts with: 00 13 48 5b [01 02]
RegMon output of the enrolment
![Page 16: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/16.jpg)
23. Chaos Communication Congress
attacking the communication
![Page 17: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/17.jpg)
23. Chaos Communication Congress
attacking the communication
● replaying sniffed packages
● inserting selfgenerated data– analyse template data– attacking the software
sniffing replaying
replay attack by Lisa Thalheim
![Page 18: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/18.jpg)
23. Chaos Communication Congress
attacking the templates
![Page 19: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/19.jpg)
23. Chaos Communication Congress
attacking the templates
● adding or deleting a template
● two people matching one template
● changing template to person correlation
● attacking the software using a manipulated template
![Page 20: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/20.jpg)
23. Chaos Communication Congress
attacking the templates @ thinkpad sensor
● read the template in the registry
● add your own fingerprint to an existing template
● write back to the registry (biometric worm)
![Page 21: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/21.jpg)
23. Chaos Communication Congress
attacks using the sensor
![Page 22: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/22.jpg)
23. Chaos Communication Congress
latent prints 1
● reactivating latent prints on touch sensors– capacitive: aspirate, graphite – optical: coloured powder
● countermeasures– checking minutia position of the last login
http://www.heise.de/ct/02/11/114/
reactivating latent prints
![Page 23: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/23.jpg)
23. Chaos Communication Congress
latent prints 2
● using latent prints (not on the sensor)– graphite or coloured powder on adhesive
tape
● not for sweeping sensors
graphite powder on adhesive tapehttp://www.heise.de/ct/02/11/114/
![Page 24: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/24.jpg)
23. Chaos Communication Congress
making a dummy finger
● gelatine, silicone
● wood glue
● enhancing with graphite spray
making a dummy finger
![Page 25: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/25.jpg)
23. Chaos Communication Congress
making a dummy fingers @ thinkpad sensor
● etching an optical PCB
● aluminium foil on adhesive tape
● transfer the fingerprint onto the foil
dummy finger
etched PCB
![Page 26: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/26.jpg)
23. Chaos Communication Congress
life check
● pulse– IR illuminated bloodstream– deformation of the ridges
● property of the skin– electrical and thermal conductivity– colour
● absorption of the blood
● sweat
![Page 27: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/27.jpg)
23. Chaos Communication Congress
preventing the recognition
● superglue
● hard work :)
● etching
● scorching
● remove with emery paper
● transplantation
normal fingerprint superglued fingerprint
transplanted fingertipshttp://www.sploid.com/images/feetfinger.jpg
![Page 28: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/28.jpg)
23. Chaos Communication Congress
hacked sensors (systems)
● capacitive– Infineon (Siemens ID mouse)– UPEK (IBM Thinkpads)
● optical– Dermalog– U.are.U (Microsoft)– Identix
● thermical– Atmel (ekey, iPAQ)
● electrical– Authentec (Medion)
![Page 29: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/29.jpg)
23. Chaos Communication Congress
conclusion
● latent prints left on nearly every surface● prints are easy to collect● nearly all tested systems could be fooled with
homemade dummy finger● fallback passwords still needed
● Don't use fingerprint recognition systems for security relevant applications!
![Page 31: hacking fingerprint recognition systems - CCC Event Blog · hacking fingerprint recognition systems (can I buy you a beer) 23. Chaos Communication Congress overview ... – template](https://reader031.vdocuments.site/reader031/viewer/2022021704/5b3041f37f8b9a02638b9f42/html5/thumbnails/31.jpg)
23. Chaos Communication Congress
sensor
biometric application
preprocessing
feature extraction
matchingda
taba
se