lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 02 Feb 2018 21:36:40 -0500
From: InterN0T via Fulldisclosure <fulldisclosure@...lists.org>
To: Ben Tasker <ben@...tasker.co.uk>
Cc: Vulnerability Lab <research@...nerability-lab.com>,
 Full Disclosure List <fulldisclosure@...lists.org>
Subject: Re: [FD] Banknotes Misproduction security & biometric weakness

Exactly how many people are using these banknotes for "fake fingerprints" with their phone?

The reason why you use your own fingerprint, and not a standardized hologram fingerprint from a Euro bank note, is so that only your fingerprint can unlock your phone for example.

This whole advisory seems like one big troll.


For example this:
--
5. [Truncated] An agent could for example save data variables in the biometric sign of the banknote to exfiltrate information.

Note: Yeah they could also embed secret information anywhere else in the bank note, for example the micro-text, UV text, or probably even INSIDE the bank note.
--

A lot of fingerprint readers are pretty bad and imperfect by design too.

Mythbusters Fingerprint Bypass:
https://www.youtube.com/watch?v=3Hji3kp_i9k
Note: Look at the end where they used a photocopy on a piece of paper to bypass that particular lock.

German Fingerprint Hack:
https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands

Master Fingerprints Hack:
https://www.express.co.uk/life-style/science-technology/791055/smartphone-fingerprint-scanner-hacked-criminals-scan-data
​
Hot Glue Fingerprint Mold:
https://www.youtube.com/watch?v=kinq5nzY37c

General flaws about fingerprints:
https://globalnews.ca/news/3371112/smartphone-fingerprint-sensors-hack/

-------- Original Message --------
 On February 2, 2018 7:56 PM, Ben Tasker <ben@...tasker.co.uk> wrote:

>There's some detail in the Vulnerability magazine link, reproducing here so
> there's a record
>
> We discovered an anomaly in the hologram section of the new printed 20€ &
> 50€ banknotes. The security sign on the banknotes are produced with a
> transparent film. In the middle of the new hologram of the 20 & 50€
> banknotes is a picture of a women and different fingerprint-like
> structures. At the moment we noted the problem, we used a microscope to
> look closer.
>
> After an internal discussion, that the security sign could maybe used for
> biometrics authentication processes, we tested the hologram for usage on
> different fingerprinter-scanners like asus pro laptop, eikon, samsung
> galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed
> using the hologram of the banknotes to fake a fingerprint which is accepted
> by the fingerprint-scanner system. After that, the attacker is able to
> relogin with the universal hologram.
>
> Finally, we were able to bypass the the biometric identification process of
> the different devices. No system is able to identify, that the hologram is
> not a real fingerprint. At the end, we figured out in the testing process
> that the holograms can be used to add via write and auth via read. There
> are now muliple problems in connection to the security issue.
>1. Fingerprint - Reader & Writer (Mobile Devices)
>
> The end user devices like phones with fingerprinter sensors of
> manufacturers like samsung, apple, huawei & co are permanently vulnerable
> to this new type of attack. The sensor does not approve the reflection of
> the hologram in the read and write mode. It interprets the security signs
> as features of a real fingerprint. Thus results in an easy bypass using any
> 20€ or 50€ banknotes after registration. To use an attacker only requires
> to use his finger behind the hologram to bypass the fingerpulse check of
> the idevice. All other mechanism are not accurate approving the content
> during the sensor check.
>
>
>2. Biometric Security in Europe
> Each time the EZB produces more of the affected banknotes, the biometric
> security in all over europe countries is generally weakened. In the near
> future the EZB plans to inetrgate the holograms to any banknote (5€, 10€,
> 100€ & Co.). This would be a crazy incident for all biometric systems using
> a fingertip to authenticate because of any person is by now able to perform
> those typ of attacks against an environment or service.
>
>
>3. Fake fingerprints to go
> Any person that has access to a system could use a hologram of a european
> banknote to fake his fingerprint. Even the once which do not have the
> expertise to fake it because in case of a publication, the government would
> have to reckon with it.
>
>
>4. Universal fingerprint as key
> One time a hologram is written to a database, any attacker could use
> another hologram of the same banknote series to bypass the security
> mechanism to finally get access to the environment. Also administrators or
> moderators are able to setup a universal fingerprint key to any dbms for
> further entrance.
>
>
>5. Save content in biometric signs or read data
> The problematic could be used by security agencies to save data in the
> biometric sign or to use them to get access to protected environments. An
> agent could for example save data variables in the biometric sign of the
> banknote to exfiltrate information.
>
>
>6. Information in the hologram
> In the special case of a fingerprint entry is generated by mathematical
> variables with plain information, the content can be saved as plain-text
> information to extract the binary information. The binary information of
> the hologram fingerprint can then be decyphered by using different unknown
> one-time pad keys. So the data of the fingerprint is translated to binary
> code with a fingerprint device (open source) in plain-text. The plain-text
> is then used to identify chiffre inside the security sign hologram.
>
>7. Save your Privacy
>
> At that point people can as well use the hologram to authenticate for a
> system or to a mobile device. In case of a user do not want to save his
> personal fingerprint to any untrusted device. Then they can by now use the
> hologram to save a fingerprint to authenticate the full anonym way.
>
>8. Bypassing the biometric security with the help of banknotes
>
> Spread Exposition Exploitation Detection
> LOW MODERATE MODERATE EASY
>
> Problem Description & Causes
> Reference 1 has proved the biometric security of European bills for
> counterfeiting a fingerprint in a PoC.
>
> Possible threat scenarios
>
>9. Avoiding person-related biometric backup in mobile devices, such as the
> Apple iPhone, u.v.m.
>
>10. If necessary Falsification of the biometric identifiers of identity
> documents. Fake ID documents can be sold on the black market with a one
> time registered fingerprint. The number of copies and persons is irrelevant.
>
> Countermeasures:
>
>11. Generate Awareness among Manufacturers and Users of Smart Meter
> Biometrics.
>
>12. Educate data feeders so that fingers are free of foreign matter (e.g.,
> glue, or the like) and checked.
>
>13. Organizational measures
>
> a) Review of existing biometric profiles on devices
> b) Modify process of identification of biometrics
> c) Check the biometric data for duplications in IT systems and databases
>
>
>
> My comments:
>
> The title is fairly misleading (or I've misunderstood the article). I
> assumed this was actually some sort of weakness in the production of the
> banknotes themselves (perhaps ineffective anti-counterfeiting measures...),
> but it seems to be more that there's an embossed "fingerprint" which
> various biometric readers will actually believe to be a real fingerprint
> (and having your finger behind it will sort the pulse detection issues)
>
> The weakness, the theory goes, is that someone could register a
> "fingerprint" in your system by using a banknote. This'd give them access
> whilst also meaning you didn't at least have a hash of their real
> fingerprint for forensics to find.
>
> Another theory is that users might opt to use a banknote instead of their
> own fingerprint. I'm not quite sure what the likelihood of that is, in that
> it's not exactly convenient, and if you're concerned about privacy
> implications from a fingerprint scanner the best option is not to use it.
>
> What it does show (which is already known), is that commodity fingerprint
> scanners remain easily fooled. So much so, that an "acceptable"
> non-fingerprint is being accidentally mass produced and will soon be in the
> pockets of millions of people.
>
>
>
> On Tue, Jan 30, 2018 at 2:18 PM, Jeffrey Walton noloader@...il.com wrote:
>
>>On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab
>>research@...nerability-lab.com wrote:
>>>
>>>Document Title:
>>>
>>>Banknotes Misproduction security & biometric weakness
>>> ...
>>>Technical Details & Description:
>>>
>>>In the last months we reviewed the new 20€ & 50€ Banknotes of the
>>> European Central Bank. One of our core team researchers identified
>>> that for the security sign of the holograms are different components in
>>> usage. The security signs are build by the European Central
>>> Bank with several high profile elements in the signs to ensure, that the
>>> banknotes has a serious level of protection again fraud or
>>> fake money. After processing some time to identify an impact, we were
>>> finally able to identify the following security problematic ...
>>>The details seem to be missing from the announcement and the website.
>>
>>Sent through the Full Disclosure mailing list
>>https://nmap.org/mailman/listinfo/fulldisclosure
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>>
>
>
>
>
>Ben Tasker
>https://www.bentasker.co.uk
>
>
>Sent through the Full Disclosure mailing list
>https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ