lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 30 Jan 2018 19:31:50 +0000
From: Ben Tasker <ben@...tasker.co.uk>
To: noloader@...il.com
Cc: Vulnerability Lab <research@...nerability-lab.com>,
 Full Disclosure List <fulldisclosure@...lists.org>
Subject: Re: [FD] Banknotes Misproduction security & biometric weakness

There's some detail in the Vulnerability magazine link, reproducing here so
there's a record

We discovered an anomaly in the hologram section of the new printed 20€ &
50€ banknotes. The security sign on the banknotes are produced with a
transparent film. In the middle of the new hologram of the 20 & 50€
banknotes is a picture of a women and different fingerprint-like
structures. At the moment we noted the problem, we used a microscope to
look closer.

After an internal discussion, that the security sign could maybe used for
biometrics authentication processes, we tested the hologram for usage on
different fingerprinter-scanners like asus pro laptop, eikon, samsung
galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed
using the hologram of the banknotes to fake a fingerprint which is accepted
by the fingerprint-scanner system. After that, the attacker is able to
relogin with the universal hologram.

Finally, we were able to bypass the the biometric identification process of
the different devices. No system is able to identify, that the hologram is
not a real fingerprint. At the end, we figured out in the testing process
that the holograms can be used to add via write and auth via read. There
are now muliple problems in connection to the security issue.
1. Fingerprint - Reader & Writer (Mobile Devices)

The end user devices like phones with fingerprinter sensors of
manufacturers like samsung, apple, huawei & co are permanently vulnerable
to this new type of attack. The sensor does not approve the reflection of
the hologram in the read and write mode. It interprets the security signs
as features of a real fingerprint. Thus results in an easy bypass using any
20€ or 50€ banknotes after registration. To use an attacker only requires
to use his finger behind the hologram to bypass the fingerpulse check of
the idevice. All other mechanism are not accurate approving the content
during the sensor check.

2. Biometric Security in Europe
Each time the EZB produces more of the affected banknotes, the biometric
security in all over europe countries is generally weakened. In the near
future the EZB plans to inetrgate the holograms to any banknote (5€, 10€,
100€ & Co.). This would be a crazy incident for all biometric systems using
a fingertip to authenticate because of any person is by now able to perform
those typ of attacks against an environment or service.

3. Fake fingerprints to go
Any person that has access to a system could use a hologram of a european
banknote to fake his fingerprint. Even the once which do not have the
expertise to fake it because in case of a publication, the government would
have to reckon with it.

4. Universal fingerprint as key
One time a hologram is written to a database, any attacker could use
another hologram of the same banknote series to bypass the security
mechanism to finally get access to the environment. Also administrators or
moderators are able to setup a universal fingerprint key to any dbms for
further entrance.

5. Save content in biometric signs or read data
The problematic could be used by security agencies to save data in the
biometric sign or to use them to get access to protected environments. An
agent could for example save data variables in the biometric sign of the
banknote to exfiltrate information.

6. Information in the hologram
In the special case of a fingerprint entry is generated by mathematical
variables with plain information, the content can be saved as plain-text
information to extract the binary information. The binary information of
the hologram fingerprint can then be decyphered by using different unknown
one-time pad keys. So the data of the fingerprint is translated to binary
code with a fingerprint device (open source) in plain-text. The plain-text
is then used to identify chiffre inside the security sign hologram.
7. Save your Privacy

At that point people can as well use the hologram to authenticate for a
system or to a mobile device. In case of a user do not want to save his
personal fingerprint to any untrusted device. Then they can by now use the
hologram to save a fingerprint to authenticate the full anonym way.
8. Bypassing the biometric security with the help of banknotes

Spread Exposition Exploitation Detection
LOW MODERATE MODERATE EASY

Problem Description & Causes
Reference 1 has proved the biometric security of European bills for
counterfeiting a fingerprint in a PoC.

Possible threat scenarios
1. Avoiding person-related biometric backup in mobile devices, such as the
Apple iPhone, u.v.m.
2. If necessary Falsification of the biometric identifiers of identity
documents. Fake ID documents can be sold on the black market with a one
time registered fingerprint. The number of copies and persons is irrelevant.

Countermeasures:
1. Generate Awareness among Manufacturers and Users of Smart Meter
Biometrics.
2. Educate data feeders so that fingers are free of foreign matter (e.g.,
glue, or the like) and checked.
3. Organizational measures

a) Review of existing biometric profiles on devices
b) Modify process of identification of biometrics
c) Check the biometric data for duplications in IT systems and databases

----------------------

My comments:

The title is fairly misleading (or I've misunderstood the article). I
assumed this was actually some sort of weakness in the production of the
banknotes themselves (perhaps ineffective anti-counterfeiting measures...),
but it seems to be more that there's an embossed "fingerprint" which
various biometric readers will actually believe to be a real fingerprint
(and having your finger behind it will sort the pulse detection issues)

The weakness, the theory goes, is that someone could register a
"fingerprint" in your system by using a banknote. This'd give them access
whilst also meaning you didn't at least have a hash of their real
fingerprint for forensics to find.

Another theory is that users might opt to use a banknote instead of their
own fingerprint. I'm not quite sure what the likelihood of that is, in that
it's not exactly convenient, and if you're concerned about privacy
implications from a fingerprint scanner the best option is not to use it.

What it does show (which is already known), is that commodity fingerprint
scanners remain easily fooled. So much so, that an "acceptable"
non-fingerprint is being accidentally mass produced and will soon be in the
pockets of millions of people.



On Tue, Jan 30, 2018 at 2:18 PM, Jeffrey Walton <noloader@...il.com> wrote:

> On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab
> <research@...nerability-lab.com> wrote:
> > Document Title:
> > ===============
> > Banknotes Misproduction security & biometric weakness
> > ...
> >
> > Technical Details & Description:
> > ================================
> > In the last months we reviewed the new 20€ & 50€ Banknotes of the
> European Central Bank. One of our core team researchers identified
> > that for the security sign of the holograms are different components in
> usage. The security signs are build by the European Central
> > Bank with several high profile elements in the signs to ensure, that the
> banknotes has a serious level of protection again fraud or
> > fake money. After processing some time to identify an impact, we were
> finally able to identify the following security problematic ...
> >
>
> The details seem to be missing from the announcement and the website.
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>



-- 
Ben Tasker
https://www.bentasker.co.uk

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ