penetration testing biometric system by fb1h2s aka rahul sasi //nullcon.net
TRANSCRIPT
![Page 1: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/1.jpg)
Penetration Testing Biometric System
By FB1H2S aka Rahul Sasi
http://Garage4Hackers.com
http://null.co.in/ http://nullcon.net/
![Page 2: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/2.jpg)
Who am I ?What is this paper about ?
• I am an Info Security Enthusiast http://fb1h2s.com Rahul Sasi aka FB1H2S working as a consultant .
http://www.aaatechnologies.co.in• Active participant of Null and other computing
groups.• A member of Garage4Hackers. http://www.Garage4Hackers.com• What this paper contains ?
http://null.co.in/ http://nullcon.net/
![Page 3: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/3.jpg)
Explaining the Risk?• Finger print deployed every where, attendance and door management.• Advantages and Disadvantages of Bio-systems.• The devices hold critical information.
http://null.co.in/ http://nullcon.net/
Employee Details
EmployeeAttendance
Employee Salary
![Page 4: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/4.jpg)
Why to audit them ?
http://null.co.in/ http://nullcon.net/
I just Hacked into Biometric Attendance Register and Changed
attendance and salary :D of mine and my @#$$
Student / Employee
Professor / Not so good co-worker
I am marked 10 days absent , what the |-|3ll is happening!
![Page 5: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/5.jpg)
Classifying the AttacksLocal Attacks:• Finger Print Sensor • USB Data ManagerRemote Attacks:• Remote IP Management• Back End Database• Finger Print Manager (Admin Interface)
http://null.co.in/ http://nullcon.net/
![Page 6: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/6.jpg)
Biometric System Attack Vectors
http://Garag4Hackers.com http://FB1H2S.com/
![Page 7: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/7.jpg)
Biometric Systems Common Applications
• Reliable attendance managing system.• Biometric Finger print guarded doors, implemented for keyless secure
access to doors.
http://null.co.in/ http://nullcon.net/
![Page 8: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/8.jpg)
Attacks: The Non Technical part
http://null.co.in/ http://nullcon.net/
![Page 9: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/9.jpg)
Local Attack: Finger print sensor
• Finger print scanners read input using two methodologies:
1) Optical scanner 2) Capacitance scanner• Finger print recognition systems are image matching
algorithms• Cloning a duplicate finger print and cheating the
image recognition algorithms
http://null.co.in/ http://nullcon.net/
![Page 10: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/10.jpg)
Steeling a Finger Print
http://null.co.in/ http://nullcon.net/
• Your finger impressions falls any were you touch. Ex: on glass
![Page 11: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/11.jpg)
My Approach: Finger Print Logger
• Biometric sensor looks like this.
• Placing a thin less refractive index transparent object in front of the sensor and logging finger prints.
http://null.co.in/ http://nullcon.net/
![Page 12: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/12.jpg)
Building Finger print logger• Refraction:
• Use Less refractive index thin transparent sheet
• Log the victims fingerprint using the finger print logger
http://null.co.in/ http://nullcon.net/
![Page 13: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/13.jpg)
Steps Building Logger
http://null.co.in/ http://nullcon.net/
![Page 14: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/14.jpg)
Special Points to be Considered
http://null.co.in/ http://nullcon.net/
![Page 15: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/15.jpg)
Reproducing a Fake Finger print:
http://null.co.in/ http://nullcon.net/
![Page 16: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/16.jpg)
Local Attack: USB Data Manager. • Biometrics devices have inbuilt data storage, were it stores the Finger
print and user information. • USB support in order to download and upload finger prints and other log
detail to and from the device.• Most of the devices do not have any sort of protection mechanism
employed to prevent data theft, and those which uses password protection often is deployed with default password.
http://null.co.in/ http://nullcon.net/
![Page 17: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/17.jpg)
Attacks: The Technical part
http://null.co.in/ http://nullcon.net/
![Page 18: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/18.jpg)
Remote Attack Vectors.
http://null.co.in/ http://nullcon.net/
![Page 19: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/19.jpg)
Remote Attack Vectors
• IP implementation for data transfer• Biometric Management Servers• Biometric Admin/Interface (Web Based and
Desktop based )• Back end Database• Man In The Middle Attacks
http://null.co.in/ http://nullcon.net/
![Page 20: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/20.jpg)
TCP/IP Implementation for Remote Management:
http://null.co.in/ http://nullcon.net/
![Page 21: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/21.jpg)
Remote Administration Implementation
Issues• The remote administration capability of this device lets
biometric servers to authenticate to it and manage remotely.• We are completely unaware of the management protocol
used as the program is embedded in the Biometric MIPS device.
Solutions • The admin application knows everything about the remote
device so if we could get a copy of that application it will tell us everything we want.
http://null.co.in/ http://nullcon.net/
![Page 22: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/22.jpg)
Example AttackAttacking the remote management
protocol Example.• Situation: The remote administration implementation is unknown.• Foot printing: The label on the Biometric device will reveal which
company has marketed or build that product.• Download a copy of remote management software from vendor site
http://null.co.in/ http://nullcon.net/
![Page 23: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/23.jpg)
Example AttackReverse Engineering the Application
http://null.co.in/ http://nullcon.net/
• Reflector used to disassemble the .Net application • Detected TCP/IP setting of device used to
communication, It uses port 4370 to communicate
![Page 24: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/24.jpg)
Application uses COM objects which interacts with Device
• IDA used for dissembling the COM objects
• Disassembling Import function shows the communication details
http://null.co.in/ http://nullcon.net/
![Page 25: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/25.jpg)
Example Device Command extracted• Commands to set the device time remotely
http://null.co.in/ http://nullcon.net/
![Page 26: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/26.jpg)
Auditing Back End Database
• From disassembling we were able to find local database password file and encryption key hardcoded in the application.
http://null.co.in/ http://nullcon.net/
![Page 27: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/27.jpg)
Biometric Admin/Interface (Web Based and Desktop based )
• Another possible point of attacks are on the admin interface, these are either desktop based or Web based.
• Desktop based applications are common and the possible chances to interact with them require local privileges on the Biometric server.
• But web based admin panels could be attacked form outside.
• So an application check on those modules for application vulnerabilities could also help.
http://null.co.in/ http://nullcon.net/
![Page 28: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/28.jpg)
Nmap Script: Detecting Biometric Devices on Network:
How to detect these device on network for attacking?Nmap Script Output.
http://null.co.in/ http://nullcon.net/
![Page 29: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/29.jpg)
Attack Videos
http://null.co.in/ http://nullcon.net/
![Page 30: Penetration Testing Biometric System By FB1H2S aka Rahul Sasi //nullcon.net](https://reader034.vdocuments.site/reader034/viewer/2022051110/55141446550346e7488b51df/html5/thumbnails/30.jpg)
Conclusion
• The risk and vulnerabilities associated with Biometric Device are explained.
• This shows the necessity of including these devices to the scope of a Network Audit.
http://null.co.in/ http://nullcon.net/