Penetration Testing Biometric


29 Νοε 2013 (πριν από 4 χρόνια και 7 μήνες)

91 εμφανίσεις

Penetration Testing Biometric


FB1H2S aka


Who am I ?

What is this paper about ?

I am an Info Security Enthusiast

Rahul Sasi aka FB1H2S working as a consultant .

Active participant of Null and other computing

A member of Garage4Hackers.

What this paper contains ?

Explaining the Risk?

Finger print deployed every where, attendance and door management.

Advantages and Disadvantages of Bio

The devices hold critical information.




Employee Salary

Why to audit them ?

I just Hacked into
Biometric Attendance
Register and Changed
attendance and salary :D
of mine and my @#$$

Student / Employee

Professor / Not so good co

I am marked 10 days absent ,
what the |
|3ll is happening!

Classifying the Attacks

Local Attacks:

Finger Print Sensor

USB Data Manager

Remote Attacks:

Remote IP Management

Back End Database

Finger Print Manager (Admin Interface)

Biometric System Attack Vectors

Biometric Systems Common

Reliable attendance managing system.

Biometric Finger print guarded doors, implemented for keyless secure
access to doors.

Attacks: The Non Technical part

Local Attack: Finger print sensor

Finger print scanners read input using two

1) Optical scanner

2) Capacitance scanner

Finger print recognition systems are image matching

Cloning a duplicate finger print and cheating the
image recognition algorithms

Steeling a Finger Print

Your finger impressions falls any were you
touch. Ex: on glass

My Approach: Finger Print Logger

Biometric sensor looks like this.

Placing a thin less refractive index transparent
object in front of the sensor and logging finger

Building Finger print logger


Use Less refractive index thin transparent sheet

Log the victims fingerprint using the finger print

Steps Building Logger

Special Points to be Considered

Reproducing a Fake Finger print:

Local Attack: USB Data Manager.

Biometrics devices have inbuilt data storage, were it stores the Finger
print and user information.

USB support in order to download and upload finger prints and other log
detail to and from the device.

Most of the devices do not have any sort of protection mechanism
employed to prevent data theft, and those which uses password
protection often is deployed with default password.

Attacks: The Technical part

Remote Attack Vectors.

Remote Attack Vectors

IP implementation for data transfer

Biometric Management Servers

Biometric Admin/Interface (Web Based and
Desktop based )

Back end Database

Man In The Middle Attacks

TCP/IP Implementation for Remote

Remote Administration Implementation


The remote administration capability of this device lets
biometric servers to authenticate to it and manage remotely.

We are completely unaware of the management protocol
used as the program is embedded in the Biometric MIPS


The admin application knows everything about the remote
device so if we could get a copy of that application it will tell
us everything we want.

Example Attack

Attacking the remote management
protocol Example.


The remote administration implementation is unknown.

Foot printing:
The label on the Biometric device will reveal which
company has marketed or build that product.


a copy of remote management software from vendor site

Example Attack

Reverse Engineering the Application

Reflector used to disassemble the .Net application

Detected TCP/IP setting of device used to
communication, It uses port 4370 to communicate

Application uses COM objects which
interacts with Device

IDA used for dissembling the COM objects

Disassembling Import function shows the
communication details

Example Device Command extracted

Commands to set the device time remotely

Auditing Back End Database

From disassembling we were able to find local database
password file and encryption key hardcoded in the

Biometric Admin/Interface (Web Based and
Desktop based )

Another possible point of attacks are on the admin
interface, these are either desktop based or Web

Desktop based applications are common and the
possible chances to interact with them require local
privileges on the Biometric server.

But web based admin panels could be attacked form

So an application check on those modules for
application vulnerabilities could also help.

Nmap Script: Detecting Biometric Devices on

How to detect these device on network for attacking?

Nmap Script Output.

Attack Videos


The risk and vulnerabilities associated with
Biometric Device are explained.

This shows the necessity of including these
devices to the scope of a Network Audit.