[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Banknotes Misproduction security & biometric weakness
- From: InterN0T <intern0t AT protonmail.com>
- Subject: Re: [FD] Banknotes Misproduction security & biometric weakness
- Date: Fri, 02 Feb 2018 21:36:40 -0500
- Arc-authentication-results: i=1; mx.google.com; dkim=pass firstname.lastname@example.org header.s=default header.b=G96Egneo; spf=pass (google.com: domain of intern0t AT protonmail.com designates 22.214.171.124 as permitted sender) smtp.mailfrom=intern0t AT protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:feedback-id:references :in-reply-to:message-id:subject:reply-to:cc:from:to:dkim-signature :date:arc-authentication-results; bh=F5LPooa/TsykrH9Vr6rWhu+UxtP3EPT2s02UAJ656G4=; b=BXBbJYpL1+/o9RnnO1Jw6q+x0Hv9No6PNwIicBEOH2USPM3qN9No1E6fu//sRkRNTY Re/RpHw1I3mrV+AmWONp20prD3gw32J8Qr234fqU8zM6d2r+HeowQBapASK/D1uPPrjQ 5ZYr3SlRPJmXwK7bwtKo3Xy2SlzDbB5ZrTtpTD8H+aG1qXcccfH30rlHS3GYC2PBTpp3 edWGhzTQotAMJuv7c0baopA3TMCJn5co76oGUVym+sGXzWyPA7GWhAwdCgaH3NQiUmgo ne+GQ1udUaeiKUAzX1qeh7Av4ql44JaoBxwjnO/Kf4ksqZeO449B/ZaEsc0yTq80yES4 dGUQ==
- Arc-seal: i=1; a=rsa-sha256; t=1517625409; cv=none; d=google.com; s=arc-20160816; b=cCILScvCVZTUQTBKH+yjn2cuuw4z/Gwwi9DqNoeoJNO+R9ond0dg9O6F8ZWhPb5VRR E7OTE297+WiIri+3ApPxbK2yEJaP1NAPorLHBh1bWJWeJnllnqiNfQclfk2BrHN4pGbp lKKc3QNpl1DXYAmvFz+NSP0thqoNt9kZOD17841FTO9mqb2+YIv0f6InxNknlaPQZ39V Yn+qkIrMReQHBeBCOUj4z2+OJF+qtRZb3KNtMD0TIZjvmtsXKbbo5HxqtJds71RrXZ3I v///Mdy4TmuQEq7dD/TvCqiZaL69D6KJavIGQRaKOKCC5HJ/kCDHip/1EcTjlSgVjNei mT+g==
- Cc: "noloader AT gmail.com" <noloader AT gmail.com>, Vulnerability Lab <research AT vulnerability-lab.com>, Full Disclosure List <fulldisclosure AT seclists.org>
- Feedback-id: KVmQAEBN83E5gx5VZOUZtybOpbu2B5AZmbFnJz0XgxqnAhJm4cUWlyaSLUszNpSA808cP5VLe3EurzfKEeNo9A==:Ext:ProtonMail
- Reply-to: InterN0T <intern0t AT protonmail.com>
- To: Ben Tasker <ben AT bentasker.co.uk>
Exactly how many people are using these banknotes for "fake fingerprints" with their phone?
The reason why you use your own fingerprint, and not a standardized hologram fingerprint from a Euro bank note, is so that only your fingerprint can unlock your phone for example.
This whole advisory seems like one big troll.
For example this:
5. [Truncated] An agent could for example save data variables in the biometric sign of the banknote to exfiltrate information.
Note: Yeah they could also embed secret information anywhere else in the bank note, for example the micro-text, UV text, or probably even INSIDE the bank note.
A lot of fingerprint readers are pretty bad and imperfect by design too.
Mythbusters Fingerprint Bypass:
Note: Look at the end where they used a photocopy on a piece of paper to bypass that particular lock.
German Fingerprint Hack:
Master Fingerprints Hack:
Hot Glue Fingerprint Mold:
General flaws about fingerprints:
-------- Original Message --------
On February 2, 2018 7:56 PM, Ben Tasker <ben AT bentasker.co.uk> wrote:
>There's some detail in the Vulnerability magazine link, reproducing here so
> there's a record
> We discovered an anomaly in the hologram section of the new printed 20€ &
> 50€ banknotes. The security sign on the banknotes are produced with a
> transparent film. In the middle of the new hologram of the 20 & 50€
> banknotes is a picture of a women and different fingerprint-like
> structures. At the moment we noted the problem, we used a microscope to
> look closer.
> After an internal discussion, that the security sign could maybe used for
> biometrics authentication processes, we tested the hologram for usage on
> different fingerprinter-scanners like asus pro laptop, eikon, samsung
> galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed
> using the hologram of the banknotes to fake a fingerprint which is accepted
> by the fingerprint-scanner system. After that, the attacker is able to
> relogin with the universal hologram.
> Finally, we were able to bypass the the biometric identification process of
> the different devices. No system is able to identify, that the hologram is
> not a real fingerprint. At the end, we figured out in the testing process
> that the holograms can be used to add via write and auth via read. There
> are now muliple problems in connection to the security issue.
>1. Fingerprint - Reader & Writer (Mobile Devices)
> The end user devices like phones with fingerprinter sensors of
> manufacturers like samsung, apple, huawei & co are permanently vulnerable
> to this new type of attack. The sensor does not approve the reflection of
> the hologram in the read and write mode. It interprets the security signs
> as features of a real fingerprint. Thus results in an easy bypass using any
> 20€ or 50€ banknotes after registration. To use an attacker only requires
> to use his finger behind the hologram to bypass the fingerpulse check of
> the idevice. All other mechanism are not accurate approving the content
> during the sensor check.
>2. Biometric Security in Europe
> Each time the EZB produces more of the affected banknotes, the biometric
> security in all over europe countries is generally weakened. In the near
> future the EZB plans to inetrgate the holograms to any banknote (5€, 10€,
> 100€ & Co.). This would be a crazy incident for all biometric systems using
> a fingertip to authenticate because of any person is by now able to perform
> those typ of attacks against an environment or service.
>3. Fake fingerprints to go
> Any person that has access to a system could use a hologram of a european
> banknote to fake his fingerprint. Even the once which do not have the
> expertise to fake it because in case of a publication, the government would
> have to reckon with it.
>4. Universal fingerprint as key
> One time a hologram is written to a database, any attacker could use
> another hologram of the same banknote series to bypass the security
> mechanism to finally get access to the environment. Also administrators or
> moderators are able to setup a universal fingerprint key to any dbms for
> further entrance.
>5. Save content in biometric signs or read data
> The problematic could be used by security agencies to save data in the
> biometric sign or to use them to get access to protected environments. An
> agent could for example save data variables in the biometric sign of the
> banknote to exfiltrate information.
>6. Information in the hologram
> In the special case of a fingerprint entry is generated by mathematical
> variables with plain information, the content can be saved as plain-text
> information to extract the binary information. The binary information of
> the hologram fingerprint can then be decyphered by using different unknown
> one-time pad keys. So the data of the fingerprint is translated to binary
> code with a fingerprint device (open source) in plain-text. The plain-text
> is then used to identify chiffre inside the security sign hologram.
>7. Save your Privacy
> At that point people can as well use the hologram to authenticate for a
> system or to a mobile device. In case of a user do not want to save his
> personal fingerprint to any untrusted device. Then they can by now use the
> hologram to save a fingerprint to authenticate the full anonym way.
>8. Bypassing the biometric security with the help of banknotes
> Spread Exposition Exploitation Detection
> LOW MODERATE MODERATE EASY
> Problem Description & Causes
> Reference 1 has proved the biometric security of European bills for
> counterfeiting a fingerprint in a PoC.
> Possible threat scenarios
>9. Avoiding person-related biometric backup in mobile devices, such as the
> Apple iPhone, u.v.m.
>10. If necessary Falsification of the biometric identifiers of identity
> documents. Fake ID documents can be sold on the black market with a one
> time registered fingerprint. The number of copies and persons is irrelevant.
>11. Generate Awareness among Manufacturers and Users of Smart Meter
>12. Educate data feeders so that fingers are free of foreign matter (e.g.,
> glue, or the like) and checked.
>13. Organizational measures
> a) Review of existing biometric profiles on devices
> b) Modify process of identification of biometrics
> c) Check the biometric data for duplications in IT systems and databases
> My comments:
> The title is fairly misleading (or I've misunderstood the article). I
> assumed this was actually some sort of weakness in the production of the
> banknotes themselves (perhaps ineffective anti-counterfeiting measures...),
> but it seems to be more that there's an embossed "fingerprint" which
> various biometric readers will actually believe to be a real fingerprint
> (and having your finger behind it will sort the pulse detection issues)
> The weakness, the theory goes, is that someone could register a
> "fingerprint" in your system by using a banknote. This'd give them access
> whilst also meaning you didn't at least have a hash of their real
> fingerprint for forensics to find.
> Another theory is that users might opt to use a banknote instead of their
> own fingerprint. I'm not quite sure what the likelihood of that is, in that
> it's not exactly convenient, and if you're concerned about privacy
> implications from a fingerprint scanner the best option is not to use it.
> What it does show (which is already known), is that commodity fingerprint
> scanners remain easily fooled. So much so, that an "acceptable"
> non-fingerprint is being accidentally mass produced and will soon be in the
> pockets of millions of people.
> On Tue, Jan 30, 2018 at 2:18 PM, Jeffrey Walton noloader AT gmail.com wrote:
>>On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab
>>research AT vulnerability-lab.com wrote:
>>>Banknotes Misproduction security & biometric weakness
>>>Technical Details & Description:
>>>In the last months we reviewed the new 20€ & 50€ Banknotes of the
>>> European Central Bank. One of our core team researchers identified
>>> that for the security sign of the holograms are different components in
>>> usage. The security signs are build by the European Central
>>> Bank with several high profile elements in the signs to ensure, that the
>>> banknotes has a serious level of protection again fraud or
>>> fake money. After processing some time to identify an impact, we were
>>> finally able to identify the following security problematic ...
>>>The details seem to be missing from the announcement and the website.
>>Sent through the Full Disclosure mailing list
>> Web Archives & RSS: http://seclists.org/fulldisclosure/
>Sent through the Full Disclosure mailing list
> Web Archives & RSS: http://seclists.org/fulldisclosure/