Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] Biometrics

From: l0rtamus prime <simon () SNOSOFT COM>
Date: Mon, 21 Aug 2000 03:23:16 +0100
I would be interested in these brochures


At 09:34 PM 8/17/2000 -0400, you wrote:

I have a few scanned product brochures which can be made available
to anyone interested on the list.

> I'd doubt that "anyone'd" be able to circumvent a retinal scan or
fingerprint scan for that
> matter but I would like to receive any biometric's information any would
> care to divulge.

Forge credentials at the scanner? Possible, but not likely without a loud
struggle or similar suspicious activity.  Many finger/handprint scanners
incorporate thermal or other sensors to determine if the member is severed
and blood flow is gone;  a CCD above the reader would reveal non-bloody
attempts such as drugging the authorized person.

Many authentication methods are vulnerable at one or more points
in their architecture.  The 'input' device may not be inaccurate
and readily vulnerable - as with biometrics - but the validation
method may.

To simplify this example, think of a bio scanner as an A/D converter which
translates a unique physical characteristic (fingerprint, ear imprint,
 retina signature) into a digital identifier.  The scanner must query
a database of authorized users (identifiers) to determine access rights.

If the data is passed through an unencrypted channel to the database,
identifier confidentiality is easily compromised by a sniffer.
At that point, we are back to a basic attack: man-in-the-middle to
spoof authorization credentials.
The system storing the database could be compromised, and a user granted
unauthorized access privleges.  'Compromise' in this sense could be
anything from electronic compromise to some good old social engineering.
More likely when the attacker is on the inside.

Penetration tests are usually contracted within a limited
timeframe, and it is unlikely either sort of attack is feasible
for a one-week full security audit.
Just remember that a dedicated attacker has no such time constraints.

-dan
Previous By Date Next
Previous By Thread Next

Current thread: