HandPwning: security pitfalls of hand-geometry recognition-based access control systems
Disclaimers:
The content of this presentation is the result of an independent research conducted by myself and during my own spare time. This research was not funded by my present and past employers and is not in any way associated with them. Moreover, before disclosing the following vulnerabilities and tools, both Vendor and ICS-CERT were informed that still hundreds of vulnerable devices are exposed on the Internet.
In a previous research it was attempted to defeat different fingerprint-based PACS (Physical Access
Control Systems) [0], some successes led to extend the research to other biometric PACS in the market
with particular interest on those used in Critical Infrastructures (e.g. Industrial Plants, Factories, Water
Treatment, etc.). Biometrics applied to PACS (Physical Access Control Systems) has been an hot-topic for
a few years now. The spread of biometric access control & time attendance systems among corporate,
industrial and military environments has surged. And with it, also the number of potential attack vectors
has increased. In this blogpost and related paper, after a brief overview of the state of art of available biometric technologies
used in PACS to authenticate and authorize users, we will investigate one technology among others
(usually perceived less-invasive) that has been widely adopted in some specific fields (e.g. industrial
plants, airports, food industry, etc.): the “Handpunch” access control & time attendance systems.
The
“Handpunch” PACS are based on the hand-geometry recognition. In this research we will first have a look
how this technology work, subsequently, we will focus our attention on reviewing some of existing
Handpunch devices on the market: from a physical security point-of-view until reversing their
communication protocol.
Moreover, it will be demonstrated how to remotely enroll a new super-admin
into it (i.e. persistent backdoor), how to dump existing users information and will be also released an
opensource tool-suite: HandScan & HandPwner.
Eventually, thanks the cooperation with Shodan’s
developer, it has been confirmed that more than 1200 of these vulnerable devices were found exposed
on the Internet. Finally, we will conclude with practical and actionable countermeasures to prevent these
attacks and how to harden these devices.
TL;DR: Have a look at the White Paper
More Videos:
- Handscanning - HandPwning: hacking hand-geometry recognition-based access control systems
- Dumping Users Logs - HandPwning: hacking hand-geometry recognition-based access control systems
- Silicon Hand Attack - HandPwning: hacking hand-geometry recognition-based access control systems
Wanna test your own Handpunch?
https://github.com/whid-injector/handpwner
WANNA BECOME A CERTIFIED HARDWARE HACKER?
The Offensive Hardware Hacking Training is a Self-Paced training including Videos, a printed Workbook and a cool Hardware Hacking Kit. And... you get everything shipped home Worldwide! For more info: https://www.whid.ninja/store
[0] https://lucabongiorni.medium.com/cloning-fingerprints-like-a-boss-101-edition-893468ecc826 [1] https://platform.keesingtechnologies.com/pros-cons-hand-geometry/
[2] Fotak T. Razvoj biometrijskih tehnika. BSc thesis. University of Zagreb, Faculty of organization and informatics; 2008. [3] Bulatov, Y., Jambawalikar, S., Kumar, P., & Sethia, S. Hand Recognition System Us-ing Geometric Classifiers. DIMACS Workshop on Computational Geometry, (14-15November 2002). Piscataway, NJ; 2002., 14-15.
[4] Jain, A., Ross, A., Panakanti, S. A., prototype, hand., geometry-based, verification., &system, A. V. B. P. AVBPA: proceedings of the 2nd International Conference on Au-dio- and Video-based Biometric Person Authentication, Washington DC; (1999).
[5] https://www.instructables.com/3D-Scanning-a-Hand-and-Making-a-Glove-Mannequin/