Researcher raises alarm about biometric hacking with "biologger" tool
By Donald Melanson 
posted April 3rd 2008 2:02PM
posted April 3rd 2008 2:02PM
While attempts to bypass biometric security measures are certainly nothing new, a researcher from London-based Information Risk Management is now raising an alarm about a new area of biometric hacking, and he's even gone so far as to release the source code for proof-of-concept tool to really drive the point home. As PC World reports, IRM's Matthew Lewis has demonstrated what he describes as a "biologging" system, which actually intercepts and captures biometric data as it passes between the biometric scanner and the processing server, during which time it apparently isn't encrypted on many systems. That, Lewis says, opens up the possibility of so-called "man-in-the-middle" attacks," although there is the slight problem that the biologger needs to actually be inserted into the network in order to do its thing. Even so, Lewis says that such dangers do exist, and he's hoping that the release of the tool will encourage manufacturers to beef up their security.
[Image courtesy IRM white paper]
[Image courtesy IRM white paper]
It certainly is theoretically possible. Biometric data isn't any more secure than a password, it's just harder to fake.
Danger exist for hacking a security system?! AHHHH!
And thats why we have encryption, kids. Makes sense. Can't fake the biometric info so just capture it as its going across the wire.
Also is biometric data really sent over UDP? I would think that this would be a TCP communication.
man in the middle attacks are very difficult to pull off, packet sniffing is another issue though
So poor encryption is a bad idea? Correct, know that before.
The biggest threat I see to the whole system is that you can't change your fingers (at least without pain). I mean I can have 100 accounts with 100 different passwords and change them every time some idiot's system gets compromised. I only have 10 fingers and one system's security breach will render one finger useless (only 9 to go etc. etc.)
So I'm not too fond of all this biometric stuff.
Maybe I'm being silly, but isn't this theoretically possible for any security system, not just biometric types?
I bet I wasn't the only one that read "Researcher raises alarm about biometric hacking with "blogger" tool".
Smartcards - Smartcards - Smartcards.. store the biotemplate on the smart card and just use the hardware for authenticating between you and what's stored on the card.
Many large organizations require a central server dictating security access policy. If they have hundreds of locks, they don't want to have to go to each and every lock to update it whenever a new employee gets hired or fired. Also, even if the lock were able locally verify the identity of the person by comparing the biometric reading with what's stored on the card (assuming the card hasn't somehow been hacked), it would still need to send the identity information back to the server to verify that the person is still an employee or has clearance for the particular room.
That's handled on their Access Control system - and yes - that data is at risk but usually more digitally protected than packets of info containing biometrics. (which is the subject of the article). My point is that it's more secure - and easier on your network - to control the door on an access control system - use biometric/smart card readers attached to that system and store the users biometric info on the encrypted smartcard.
Soooo, basicly he is saying if you already have access to a system you can hack into it.... wow what an epiphany! (hehe) ;)
The researcher is probably out to drum up some business for the consultancy...
It's all released just before InfoSec Europe 2008.
As OBM points out - this is possible with loads of different authentication methods as long as they're not encrypted on the wire.
Same stuff as came out for the PAC door entry systems a little while back.
I prefer the better way of ripping off the finger of Joe in the IT Department and using his fingerprint to gain access.
Thats why you ensure the breaches never happen :)
Gattaca?.
phew, this is much better than the alternative in the movies. Cut off my finger to use in the scanner.
Oh no, that is still going to happen. You better sleep with steel mittens.
How many times are we going to hear from this guy who has amazingly discovered that $39 fingerprint readers are just as encrypted -- meaning NOT AT ALL -- as the keyboard you type on all day? Not only is this old news, it's freaking obvious. Somehow, though, he's building a career as a security "expert" on it.
First Problem of this article is relying on such a complicated software as "Visio" for the simple diagram. WTH is that blue doody ding umpa lumpa ding dongs.
has anyone had any luck tracking down this supposedly "released" tool? I'd like to see what he's put together, and I dont have IRC here atm...
got link?