HandPwning: security pitfalls of hand-geometry recognition-based access control systems


The content of this presentation is the result of an independent research conducted by myself and during my own spare time. This research was not funded by my present and past employers and is not in any way associated with them. Moreover, before disclosing the following vulnerabilities and tools, both Vendor and ICS-CERT were informed that still hundreds of vulnerable devices are exposed on the Internet.

In a previous research it was attempted to defeat different fingerprint-based PACS (Physical Access Control Systems) [0], some successes led to extend the research to other biometric PACS in the market with particular interest on those used in Critical Infrastructures (e.g. Industrial Plants, Factories, Water Treatment, etc.). Biometrics applied to PACS (Physical Access Control Systems) has been an hot-topic for a few years now. The spread of biometric access control & time attendance systems among corporate, industrial and military environments has surged. And with it, also the number of potential attack vectors has increased. In this blogpost and related paper, after a brief overview of the state of art of available biometric technologies used in PACS to authenticate and authorize users, we will investigate one technology among others (usually perceived less-invasive) that has been widely adopted in some specific fields (e.g. industrial plants, airports, food industry, etc.): the “Handpunch” access control & time attendance systems. 

The “Handpunch” PACS are based on the hand-geometry recognition. In this research we will first have a look how this technology work, subsequently, we will focus our attention on reviewing some of existing Handpunch devices on the market: from a physical security point-of-view until reversing their communication protocol. 

Moreover, it will be demonstrated how to remotely enroll a new super-admin into it (i.e. persistent backdoor), how to dump existing users information and will be also released an opensource tool-suite: HandScan & HandPwner. 

Eventually, thanks the cooperation with Shodan’s developer, it has been confirmed that more than 1200 of these vulnerable devices were found exposed on the Internet. Finally, we will conclude with practical and actionable countermeasures to prevent these attacks and how to harden these devices.

TL;DR: Have a look at the White Paper


More Videos:

Wanna test your own Handpunch?


The Offensive Hardware Hacking Training is a Self-Paced training including Videos, a printed Workbook and a cool Hardware Hacking Kit. And... you get everything shipped home Worldwide! For more info: https://www.whid.ninja/store



[0] https://lucabongiorni.medium.com/cloning-fingerprints-like-a-boss-101-edition-893468ecc826 [1] https://platform.keesingtechnologies.com/pros-cons-hand-geometry/ 
[2] Fotak T. Razvoj biometrijskih tehnika. BSc thesis. University of Zagreb, Faculty of organization and informatics; 2008. [3] Bulatov, Y., Jambawalikar, S., Kumar, P., & Sethia, S. Hand Recognition System Us-ing Geometric Classifiers. DIMACS Workshop on Computational Geometry, (14-15November 2002). Piscataway, NJ; 2002., 14-15. 
[4] Jain, A., Ross, A., Panakanti, S. A., prototype, hand., geometry-based, verification., &system, A. V. B. P. AVBPA: proceedings of the 2nd International Conference on Au-dio- and Video-based Biometric Person Authentication, Washington DC; (1999). 
[5] https://www.instructables.com/3D-Scanning-a-Hand-and-Making-a-Glove-Mannequin/