Researcher raises alarm about biometric hacking with "biologger" tool
by Donald Melanson 
posted Apr 3rd 2008 at 2:02PM
While attempts to bypass biometric security measures are certainly nothing new, a researcher from London-based Information Risk Management is now raising an alarm about a new area of biometric hacking, and he's even gone so far as to release the source code for proof-of-concept tool to really drive the point home. As PC World reports, IRM's Matthew Lewis has demonstrated what he describes as a "biologging" system, which actually intercepts and captures biometric data as it passes between the biometric scanner and the processing server, during which time it apparently isn't encrypted on many systems. That, Lewis says, opens up the possibility of so-called "man-in-the-middle" attacks," although there is the slight problem that the biologger needs to actually be inserted into the network in order to do its thing. Even so, Lewis says that such dangers do exist, and he's hoping that the release of the tool will encourage manufacturers to beef up their security.
[Image courtesy IRM white paper]
[Image courtesy IRM white paper]
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 1)
IT-Accountant @ Apr 3rd 2008 2:06PM
It certainly is theoretically possible. Biometric data isn't any more secure than a password, it's just harder to fake.
Erik @ Apr 3rd 2008 2:09PM
Danger exist for hacking a security system?! AHHHH!
retro77 @ Apr 3rd 2008 2:11PM
And thats why we have encryption, kids. Makes sense. Can't fake the biometric info so just capture it as its going across the wire.
Also is biometric data really sent over UDP? I would think that this would be a TCP communication.
Chris @ Apr 3rd 2008 2:26PM
man in the middle attacks are very difficult to pull off, packet sniffing is another issue though
Sebastian @ Apr 3rd 2008 2:33PM
So poor encryption is a bad idea? Correct, know that before.
The biggest threat I see to the whole system is that you can't change your fingers (at least without pain). I mean I can have 100 accounts with 100 different passwords and change them every time some idiot's system gets compromised. I only have 10 fingers and one system's security breach will render one finger useless (only 9 to go etc. etc.)
So I'm not too fond of all this biometric stuff.
OBM @ Apr 3rd 2008 2:53PM
Maybe I'm being silly, but isn't this theoretically possible for any security system, not just biometric types?
Nushio (NDF - Blue) @ Apr 3rd 2008 2:59PM
I bet I wasn't the only one that read "Researcher raises alarm about biometric hacking with "blogger" tool".
Shawn @ Apr 3rd 2008 3:04PM
Smartcards - Smartcards - Smartcards.. store the biotemplate on the smart card and just use the hardware for authenticating between you and what's stored on the card.
parki @ Apr 3rd 2008 4:12PM
Many large organizations require a central server dictating security access policy. If they have hundreds of locks, they don't want to have to go to each and every lock to update it whenever a new employee gets hired or fired. Also, even if the lock were able locally verify the identity of the person by comparing the biometric reading with what's stored on the card (assuming the card hasn't somehow been hacked), it would still need to send the identity information back to the server to verify that the person is still an employee or has clearance for the particular room.
Shawn @ Apr 3rd 2008 4:34PM
That's handled on their Access Control system - and yes - that data is at risk but usually more digitally protected than packets of info containing biometrics. (which is the subject of the article). My point is that it's more secure - and easier on your network - to control the door on an access control system - use biometric/smart card readers attached to that system and store the users biometric info on the encrypted smartcard.
insane @ Apr 3rd 2008 3:19PM
Soooo, basicly he is saying if you already have access to a system you can hack into it.... wow what an epiphany! (hehe) ;)
silkkutz @ Apr 3rd 2008 3:39PM
The researcher is probably out to drum up some business for the consultancy...
It's all released just before InfoSec Europe 2008.
As OBM points out - this is possible with loads of different authentication methods as long as they're not encrypted on the wire.
Same stuff as came out for the PAC door entry systems a little while back.
Bruno @ Apr 3rd 2008 3:43PM
I prefer the better way of ripping off the finger of Joe in the IT Department and using his fingerprint to gain access.
retro77 @ Apr 3rd 2008 4:43PM
Thats why you ensure the breaches never happen :)
Magallanes @ Apr 3rd 2008 5:37PM
Gattaca?.
clearthumbtack @ Apr 3rd 2008 10:51PM
phew, this is much better than the alternative in the movies. Cut off my finger to use in the scanner.
bruno @ Apr 3rd 2008 11:45PM
Oh no, that is still going to happen. You better sleep with steel mittens.
JD Kit @ Apr 4th 2008 2:13AM
How many times are we going to hear from this guy who has amazingly discovered that $39 fingerprint readers are just as encrypted -- meaning NOT AT ALL -- as the keyboard you type on all day? Not only is this old news, it's freaking obvious. Somehow, though, he's building a career as a security "expert" on it.
Maze @ Apr 4th 2008 2:50AM
First Problem of this article is relying on such a complicated software as "Visio" for the simple diagram. WTH is that blue doody ding umpa lumpa ding dongs.
palehorse @ Apr 4th 2008 12:26PM
has anyone had any luck tracking down this supposedly "released" tool? I'd like to see what he's put together, and I dont have IRC here atm...
got link?