Hacking of a Biometric System on a Card
Biometric authentication is a trending topic in securing modern devices. Examples of this can be found in many widely deployed systems such as Apple’s Touch ID or Microsoft’s Windows Hello face recognition. Miniaturization and increased processing power are thereby leading to new applications not imaginable a couple of years ago. Such a solution is the new fingerprint smart card built by a Norwegian company that must not be named. Their biometric match-on-card platform is designed to provide a convenient solution for access, identity, and payment applications and aims to replace PIN authentication for the next generation of payment cards by VISA and Mastercard. In this paper, we are going to analyze how this company has implemented their already available demo kit for access control in hardware and software. We will point out critical weaknesses in its architecture and algorithm and show how these could be misused for payment, access and identity fraud by attackers able to steal or clone the device. Thereby, we combine software and hardware hacking techniques as well as extraction methods, to acquire fingerprints from photos and latent prints, to successfully spoof the system in various ways. This works in particular without the error-prone creation of physical dummies due to the exploitation of the insecure on-device communication. The attacks presented require little effort and low-cost equipment that can be already refinanced by abusing a single card at all. Finally, we will discuss countermeasures and ideas to improve the security of this and future implementations for match-on-card fingerprint authentication.
Julian is part of the security research group SECT at Berlin University of Technology (TU Berlin). He has worked on the automation of fuzzing setups (KleeFL) and created a security monitor for embedded Devices based on PUFs (PUFMon). Most recently, he and Starbug have scrutinized a new biometric match-on-card solution that is going to be integrated into the next generation of payment, access control, and ID cards. Besides academia, he is also working together with federal and private organizations to improve their product security.