Threats against UNSECURE fingerprint readers
I saw a security demo last week that literally blew my mind and I have to tell you about it. But before I do that though, I need to set some context. Passwords are increasingly recognized as unsecure. Biometric authentication is becoming a popular alternative for added security and ease of use. As the world moves towards more biometric authentication methods, the security of those biometric solutions will start to be put under more scrutiny. In fact, that is already starting to happen today. Not all biometric solutions are equally secure. When it comes to security in almost anything, you are only as strong as your weakest point. As I have pointed out again and again, security is a constantly moving target and the industry needs to evolve with the threats on a constant basis in both hardware and software.
Weaknesses are everywhere
Secure technologies are only as good as its weakest link. Weak points commonly exist in fingerprint sensor solutions today both on PCs and mobile devices. Some of these weaknesses include the fingerprint sensor itself and its ability to detect when fingerprints are fake and the lack of encryption of the user’s fingerprint data from the fingerprint sensor to the CPU. For biometric solutions, every point must be encrypted from the fingerprint sensor to the secure host environment inside the CPU. This is called a “secure chain of trust”.
For real security, you need a “secure chain of trust”
PCs and smartphones are vulnerable
For the sake of cost, 25 to 50 cents, some PC manufacturers are starting to use the same fingerprint sensors as the ones found in many smartphones around the world. However, most smartphones are sealed devices with very little or no encryption going from the fingerprint sensor to the host controller inside the SoC. While this is a risk on smartphones, the complexity of teardown and difficulty of access makes this a less likely point of attack. On a PC, it is much easier to take apart a computer and insert a device between the fingerprint sensor and host controller that is completely invisible to the user or operating system.
Getting compromised in under 30 minutes
My colleague, Anshel Sag, and I have witnessed how easily these different weaknesses can be exploited. The security experts at Synaptics captured a fingerprint from an unsecured fingerprint device on an unidentified manufacturer’s notebook and wirelessly transmitted it to another notebook. There, the fingerprint image was copied and modified to be printed on an off-the-shelf printer. The only special ingredient was a cartridge of conductive ink that allowed the printed fingerprint to be seen by the sensor.
The time it took from compromising the notebook, to capturing the fingerprint remotely, to printing it out and unlocking one of our devices using our fingerprint was less than 30 minutes. Using a printed fingerprint spoof generated from a captured fingerprint image, the flagship phones, the Apple iPhone 7 Plus and the Google Pixel were both unlocked on the first attempt. This points out yet another weakness of many biometric fingerprint solutions, spoofing. An experienced hacker could gain access through spoofing to either of these devices in as little as 5 minutes with enough practice.
In another demonstration, Synaptics resent the captured fingerprint data back to the victim PC and unlocked the computer remotely, right before our eyes. Without sensor authentication, there is no way that a PC can tell the difference between the sensor sending data and captured data being replayed back into the sensor lines. This is called a replay attack which we found to be very alarming if not downright insidious!
End-to-End security is the only secure solution
Synaptics showed us how they enable end-to-end security by having a secure chain of trust, on-sensor matching as well as encrypted links via industry standards like AES-256 and TLS 1.2. Proprietary encryption is well-known to have questionable security, so recognized standards are preferred that can be proven to protect valuable fingerprint data on the wires as well as in the system. Synaptics brands their secure communication using TLS/AES as SecureLink which allows for the transfer of secure fingerprint information from the fingerprint sensor to the matcher and/or to the secure host environment on the CPU. TLS is widely used to protect connections on the web, because it also authenticates and protects the connection. When used with the connection between a fingerprint sensor and the host, this prevents injection or “replay” attacks where stolen fingerprint data can be sent to the host remotely or through an inserted hardware device.
Synaptics takes things a step further with their anti-spoofing (fake finger) technology called PurePrint which is designed to detect and reject fake fingerprints. Using a PurePrint-enabled device we were unable to gain access to the system using a printed-out fingerprint applied to the fingerprint reader, which proves the importance of anti-spoof technologies in addition to end-to-end encryption.
Match-in-Sensor solves many of these problems
Synaptics’ match-in-sensor capability on some of their sensors is unique in that fingerprint data never actually leaves the sensor, but instead is matched on the sensor itself. That also means that there is significantly less data that can be stolen in-transit, as is possible with other solutions using external matchers. The match-in-sensor technology allows the sensor to send a simple encrypted yes/no signal to the host device to ensure that the fingerprint sensor is still trusted without passing on any crucial information. While there is no denying that match-in-sensor is a more expensive solution than using simple unencrypted smartphone sensors, it is also much more secure on many levels. The costs associated with security breaches are much higher than the cents of difference it costs between having a secure and insecure solution.
I research security and I’ll admit, I was blown away by this specific security, or lack of security demo. I’m a huge advocate of biometric security, but they’re not built all the same. The demo to steal a fingerprint and use it to unlock the PC and even the users phone was incredible.