[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Banknotes Misproduction security & biometric weakness

There's some detail in the Vulnerability magazine link, reproducing here so there's a record

We discovered an anomaly in the hologram section of the new printed 20€ & 50€ banknotes. The security sign on the banknotes are produced with a transparent film. In the middle of the new hologram of the 20 & 50€ banknotes is a picture of a women and different fingerprint-like structures. At the moment we noted the problem, we used a microscope to look closer.

After an internal discussion, that the security sign could maybe used for biometrics authentication processes, we tested the hologram for usage on different fingerprinter-scanners like asus pro laptop, eikon, samsung galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed using the hologram of the banknotes to fake a fingerprint which is accepted by the fingerprint-scanner system. After that, the attacker is able to relogin with the universal hologram.

Finally, we were able to bypass the the biometric identification process of the different devices. No system is able to identify, that the hologram is not a real fingerprint. At the end, we figured out in the testing process that the holograms can be used to add via write and auth via read. There are now muliple problems in connection to the security issue.
1. Fingerprint - Reader & Writer (Mobile Devices)

The end user devices like phones with fingerprinter sensors of manufacturers like samsung, apple, huawei & co are permanently vulnerable to this new type of attack. The sensor does not approve the reflection of the hologram in the read and write mode. It interprets the security signs as features of a real fingerprint. Thus results in an easy bypass using any 20€ or 50€ banknotes after registration. To use an attacker only requires to use his finger behind the hologram to bypass the fingerpulse check of the idevice. All other mechanism are not accurate approving the content during the sensor check.

2. Biometric Security in Europe
Each time the EZB produces more of the affected banknotes, the biometric security in all over europe countries is generally weakened. In the near future the EZB plans to inetrgate the holograms to any banknote (5€, 10€, 100€ & Co.). This would be a crazy incident for all biometric systems using a fingertip to authenticate because of any person is by now able to perform those typ of attacks against an environment or service.
3. Fake fingerprints to go
Any person that has access to a system could use a hologram of a european banknote to fake his fingerprint. Even the once which do not have the expertise to fake it because in case of a publication, the government would have to reckon with it.
4. Universal fingerprint as key
One time a hologram is written to a database, any attacker could use another hologram of the same banknote series to bypass the security mechanism to finally get access to the environment. Also administrators or moderators are able to setup a universal fingerprint key to any dbms for further entrance.
5. Save content in biometric signs or read data
The problematic could be used by security agencies to save data in the biometric sign or to use them to get access to protected environments. An agent could for example save data variables in the biometric sign of the banknote to exfiltrate information.
6. Information in the hologram
In the special case of a fingerprint entry is generated by mathematical variables with plain information, the content can be saved as plain-text information to extract the binary information. The binary information of the hologram fingerprint can then be decyphered by using different unknown one-time pad keys. So the data of the fingerprint is translated to binary code with a fingerprint device (open source) in plain-text. The plain-text is then used to identify chiffre inside the security sign hologram.
7. Save your Privacy

At that point people can as well use the hologram to authenticate for a system or to a mobile device. In case of a user do not want to save his personal fingerprint to any untrusted device. Then they can by now use the hologram to save a fingerprint to authenticate the full anonym way.
8. Bypassing the biometric security with the help of banknotes

Spread Exposition Exploitation Detection
Problem Description & Causes
Reference 1 has proved the biometric security of European bills for counterfeiting a fingerprint in a PoC.
Possible threat scenarios
1. Avoiding person-related biometric backup in mobile devices, such as the Apple iPhone, u.v.m.
2. If necessary Falsification of the biometric identifiers of identity documents. Fake ID documents can be sold on the black market with a one time registered fingerprint. The number of copies and persons is irrelevant.

1. Generate Awareness among Manufacturers and Users of Smart Meter Biometrics.
2. Educate data feeders so that fingers are free of foreign matter (e.g., glue, or the like) and checked.
3. Organizational measures

a) Review of existing biometric profiles on devices
b) Modify process of identification of biometrics
c) Check the biometric data for duplications in IT systems and databases


My comments:

The title is fairly misleading (or I've misunderstood the article). I assumed this was actually some sort of weakness in the production of the banknotes themselves (perhaps ineffective anti-counterfeiting measures...), but it seems to be more that there's an embossed "fingerprint" which various biometric readers will actually believe to be a real fingerprint (and having your finger behind it will sort the pulse detection issues)

The weakness, the theory goes, is that someone could register a "fingerprint" in your system by using a banknote. This'd give them access whilst also meaning you didn't at least have a hash of their real fingerprint for forensics to find.

Another theory is that users might opt to use a banknote instead of their own fingerprint. I'm not quite sure what the likelihood of that is, in that it's not exactly convenient, and if you're concerned about privacy implications from a fingerprint scanner the best option is not to use it.

What it does show (which is already known), is that commodity fingerprint scanners remain easily fooled. So much so, that an "acceptable" non-fingerprint is being accidentally mass produced and will soon be in the pockets of millions of people.

On Tue, Jan 30, 2018 at 2:18 PM, Jeffrey Walton <noloader AT gmail.com> wrote:
On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab
<research@vulnerability-lab.com> wrote:
> Document Title:
> ===============
> Banknotes Misproduction security & biometric weakness
> ...
> Technical Details & Description:
> ================================
> In the last months we reviewed the new 20€ & 50€ Banknotes of the European Central Bank. One of our core team researchers identified
> that for the security sign of the holograms are different components in usage. The security signs are build by the European Central
> Bank with several high profile elements in the signs to ensure, that the banknotes has a serious level of protection again fraud or
> fake money. After processing some time to identify an impact, we were finally able to identify the following security problematic ...

The details seem to be missing from the announcement and the website.

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/