[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Banknotes Misproduction security & biometric weakness

Exactly how many people are using these banknotes for "fake fingerprints" with their phone?

The reason why you use your own fingerprint, and not a standardized hologram fingerprint from a Euro bank note, is so that only your fingerprint can unlock your phone for example.

This whole advisory seems like one big troll.

For example this:
5. [Truncated] An agent could for example save data variables in the biometric sign of the banknote to exfiltrate information.

Note: Yeah they could also embed secret information anywhere else in the bank note, for example the micro-text, UV text, or probably even INSIDE the bank note.

A lot of fingerprint readers are pretty bad and imperfect by design too.

Mythbusters Fingerprint Bypass:
Note: Look at the end where they used a photocopy on a piece of paper to bypass that particular lock.

German Fingerprint Hack:

Master Fingerprints Hack:
Hot Glue Fingerprint Mold:

General flaws about fingerprints:

-------- Original Message --------
 On February 2, 2018 7:56 PM, Ben Tasker <ben AT bentasker.co.uk> wrote:

>There's some detail in the Vulnerability magazine link, reproducing here so
> there's a record
> We discovered an anomaly in the hologram section of the new printed 20€ &
> 50€ banknotes. The security sign on the banknotes are produced with a
> transparent film. In the middle of the new hologram of the 20 & 50€
> banknotes is a picture of a women and different fingerprint-like
> structures. At the moment we noted the problem, we used a microscope to
> look closer.
> After an internal discussion, that the security sign could maybe used for
> biometrics authentication processes, we tested the hologram for usage on
> different fingerprinter-scanners like asus pro laptop, eikon, samsung
> galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed
> using the hologram of the banknotes to fake a fingerprint which is accepted
> by the fingerprint-scanner system. After that, the attacker is able to
> relogin with the universal hologram.
> Finally, we were able to bypass the the biometric identification process of
> the different devices. No system is able to identify, that the hologram is
> not a real fingerprint. At the end, we figured out in the testing process
> that the holograms can be used to add via write and auth via read. There
> are now muliple problems in connection to the security issue.
>1. Fingerprint - Reader & Writer (Mobile Devices)
> The end user devices like phones with fingerprinter sensors of
> manufacturers like samsung, apple, huawei & co are permanently vulnerable
> to this new type of attack. The sensor does not approve the reflection of
> the hologram in the read and write mode. It interprets the security signs
> as features of a real fingerprint. Thus results in an easy bypass using any
> 20€ or 50€ banknotes after registration. To use an attacker only requires
> to use his finger behind the hologram to bypass the fingerpulse check of
> the idevice. All other mechanism are not accurate approving the content
> during the sensor check.
>2. Biometric Security in Europe
> Each time the EZB produces more of the affected banknotes, the biometric
> security in all over europe countries is generally weakened. In the near
> future the EZB plans to inetrgate the holograms to any banknote (5€, 10€,
> 100€ & Co.). This would be a crazy incident for all biometric systems using
> a fingertip to authenticate because of any person is by now able to perform
> those typ of attacks against an environment or service.
>3. Fake fingerprints to go
> Any person that has access to a system could use a hologram of a european
> banknote to fake his fingerprint. Even the once which do not have the
> expertise to fake it because in case of a publication, the government would
> have to reckon with it.
>4. Universal fingerprint as key
> One time a hologram is written to a database, any attacker could use
> another hologram of the same banknote series to bypass the security
> mechanism to finally get access to the environment. Also administrators or
> moderators are able to setup a universal fingerprint key to any dbms for
> further entrance.
>5. Save content in biometric signs or read data
> The problematic could be used by security agencies to save data in the
> biometric sign or to use them to get access to protected environments. An
> agent could for example save data variables in the biometric sign of the
> banknote to exfiltrate information.
>6. Information in the hologram
> In the special case of a fingerprint entry is generated by mathematical
> variables with plain information, the content can be saved as plain-text
> information to extract the binary information. The binary information of
> the hologram fingerprint can then be decyphered by using different unknown
> one-time pad keys. So the data of the fingerprint is translated to binary
> code with a fingerprint device (open source) in plain-text. The plain-text
> is then used to identify chiffre inside the security sign hologram.
>7. Save your Privacy
> At that point people can as well use the hologram to authenticate for a
> system or to a mobile device. In case of a user do not want to save his
> personal fingerprint to any untrusted device. Then they can by now use the
> hologram to save a fingerprint to authenticate the full anonym way.
>8. Bypassing the biometric security with the help of banknotes
> Spread Exposition Exploitation Detection
> Problem Description & Causes
> Reference 1 has proved the biometric security of European bills for
> counterfeiting a fingerprint in a PoC.
> Possible threat scenarios
>9. Avoiding person-related biometric backup in mobile devices, such as the
> Apple iPhone, u.v.m.
>10. If necessary Falsification of the biometric identifiers of identity
> documents. Fake ID documents can be sold on the black market with a one
> time registered fingerprint. The number of copies and persons is irrelevant.
> Countermeasures:
>11. Generate Awareness among Manufacturers and Users of Smart Meter
> Biometrics.
>12. Educate data feeders so that fingers are free of foreign matter (e.g.,
> glue, or the like) and checked.
>13. Organizational measures
> a) Review of existing biometric profiles on devices
> b) Modify process of identification of biometrics
> c) Check the biometric data for duplications in IT systems and databases
> My comments:
> The title is fairly misleading (or I've misunderstood the article). I
> assumed this was actually some sort of weakness in the production of the
> banknotes themselves (perhaps ineffective anti-counterfeiting measures...),
> but it seems to be more that there's an embossed "fingerprint" which
> various biometric readers will actually believe to be a real fingerprint
> (and having your finger behind it will sort the pulse detection issues)
> The weakness, the theory goes, is that someone could register a
> "fingerprint" in your system by using a banknote. This'd give them access
> whilst also meaning you didn't at least have a hash of their real
> fingerprint for forensics to find.
> Another theory is that users might opt to use a banknote instead of their
> own fingerprint. I'm not quite sure what the likelihood of that is, in that
> it's not exactly convenient, and if you're concerned about privacy
> implications from a fingerprint scanner the best option is not to use it.
> What it does show (which is already known), is that commodity fingerprint
> scanners remain easily fooled. So much so, that an "acceptable"
> non-fingerprint is being accidentally mass produced and will soon be in the
> pockets of millions of people.
> On Tue, Jan 30, 2018 at 2:18 PM, Jeffrey Walton noloader AT gmail.com wrote:
>>On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab
>>research AT vulnerability-lab.com wrote:
>>>Document Title:
>>>Banknotes Misproduction security & biometric weakness
>>> ...
>>>Technical Details & Description:
>>>In the last months we reviewed the new 20€ & 50€ Banknotes of the
>>> European Central Bank. One of our core team researchers identified
>>> that for the security sign of the holograms are different components in
>>> usage. The security signs are build by the European Central
>>> Bank with several high profile elements in the signs to ensure, that the
>>> banknotes has a serious level of protection again fraud or
>>> fake money. After processing some time to identify an impact, we were
>>> finally able to identify the following security problematic ...
>>>The details seem to be missing from the announcement and the website.
>>Sent through the Full Disclosure mailing list
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>Ben Tasker
>Sent through the Full Disclosure mailing list
> Web Archives & RSS: http://seclists.org/fulldisclosure/