Penetration Testing mailing list archives
Re: [PEN-TEST] Biometrics
From: l0rtamus prime <simon () SNOSOFT COM>
Date: Mon, 21 Aug 2000 03:23:16 +0100
I would be interested in these brochures At 09:34 PM 8/17/2000 -0400, you wrote:
I have a few scanned product brochures which can be made available to anyone interested on the list. > I'd doubt that "anyone'd" be able to circumvent a retinal scan or fingerprint scan for that > matter but I would like to receive any biometric's information any would > care to divulge. Forge credentials at the scanner? Possible, but not likely without a loud struggle or similar suspicious activity. Many finger/handprint scanners incorporate thermal or other sensors to determine if the member is severed and blood flow is gone; a CCD above the reader would reveal non-bloody attempts such as drugging the authorized person. Many authentication methods are vulnerable at one or more points in their architecture. The 'input' device may not be inaccurate and readily vulnerable - as with biometrics - but the validation method may. To simplify this example, think of a bio scanner as an A/D converter which translates a unique physical characteristic (fingerprint, ear imprint, retina signature) into a digital identifier. The scanner must query a database of authorized users (identifiers) to determine access rights. If the data is passed through an unencrypted channel to the database, identifier confidentiality is easily compromised by a sniffer. At that point, we are back to a basic attack: man-in-the-middle to spoof authorization credentials. The system storing the database could be compromised, and a user granted unauthorized access privleges. 'Compromise' in this sense could be anything from electronic compromise to some good old social engineering. More likely when the attacker is on the inside. Penetration tests are usually contracted within a limited timeframe, and it is unlikely either sort of attack is feasible for a one-week full security audit. Just remember that a dedicated attacker has no such time constraints. -dan
Current thread:
- Re: [PEN-TEST] Biometrics Slawek Zak (Aug 21)
- <Possible follow-ups>
- Re: [PEN-TEST] Biometrics l0rtamus prime (Aug 22)
- Re: [PEN-TEST] Biometrics Thomas Bueschgens (Aug 22)