Biometric access control systems are obviously systems that use biometrics like finger print, hand shape , facial recognition, retina and the such to identify humans and authorize their access to facilities.
They usually automatically log all the transactions(who went where) along with the time for live monitoring or later checks.
They offer advantage over keys and locks that can be easily lost or bumped and ID cards that can be lost,stolen, faked, switched…
However, using biometric systems means we are linking physical security and access to electronic devices.
4 or 5 years ago (boy! i am old and i should have blogged this ages ago)
i had the chance to work with different hardware manufacturers for those systems mostly from china and the UK.
After reading the manuals and after the initial fascination/confusion faded, i was curious on how secure those machines are and how easy it is to hack them.
and it seems i was not the only one – the guys in myth busters had this myth tested as well, here is the video of their experiments :
as you probably watched, they basically beat one of those “advanced” machines by using a finger print of the person, putting it on latex , printing it and licking the paper.
It is of course fun to watch something that is supposed to be advanced technology fail using basic techniques. But in real life scenarios,
it is bit tricky to provide yourself with a latex copy of a finger print and even if you do, you can not easily walk in to a company with latex on your finger. It will look suspisous and will fail in case of face recognition for example ( I am assuming you won’t cut people heads and start walking around)
Since the title of the post says hacking biometric access control systems it means that you will be reading how to do so with a more tech approach.
step 1 : connecting to the machine:
Biometric machines can be connected to a computer via serial or network connection.
Serial cable connection have distance limitation and are harder to install, Meaning that if the entrance with the machine is situated a distance away from PC, there are risk of data loss.
Also connecting a biometric all the way in the building to a computer is a harder task then plugging it in the nearest network output.
Most modern computers don’t come with a serial port anymore,you will need to buy a usb to serial connector.
This is why most IT people prefer to connect their machines over network, which as you can see makes the job of hacking into them easier
step 2 : the SDK
Each hardware maker publishes a software development kit usually on their website. Those SDKs are easily obtainable if you contact sales dept, you don’t need much social engineering skills. Each type of machine needs its specific SDK
After getting the SDK, you can run a typical ipscan on the network and do some guesswork on which are computers, which are machines (ip ranges and computer names can be easily recognisable)
Each SDK will have a “connect to machine” functions and most of the time there is already a nice demo with the SDK you can use.
All you have to do is input different IP address and click connect.
This is the process that will likely take most time. Who said that the life of an E-Key Bumper is easy ;p
step 3 : Getting access
Now that you are connected, you can use one of some concepts that are present in every single machine i’ve seen so far ranging from finger print to hand and face recognition:
1 – Sensitivity factor : there is no possible way you can place your finger/hand/face each time in the absolute same exact position you did when you enrolled the first time – there are some millimeters differences – this is why every single machine has a sensitivity parameter. Most machines offer access to this parameter via the administration interface. This value is accessible via programming too. So once you get the SDK and you are connected to the machine, find the function – it is usually also in the demo, set the value to something unreasonbly low.
2 – User data: each user has their own measurable data, for example, in hand recognition, here is a sample of the actual data of a user: 37 124 174 123 108 135 134 113 56 0 0 . If you set the data to be something that matches yours or to some values that work on anyone like 255 255 … 255 255 . It is the same concept as those master key – a key that would work on any lock or in our case a record that would match any user
3 – Enroll yourself : you can enroll yourself on the machine – using data from the above example or by using password, not finger print (many machines are multi-purpose). All SDK have this function to create users usually used in backing up and Restoring of data.
4 – Change user data : you can change the field that define who is an admin and who is not, this is how you can elevate access for you or someone you know who happens to be on the system, once root access is on, adding and tinkering with the biometric machine is easy.
5 – Delete/reset logs to hide trannsactions : machines contain all the transaction log – those can be deleted to hide trace of whom gained control to what or simply to create confusion and sabotage the process of payroll processing for example
6 – Reset the machine : Just like routers, biometric machines have a tiny little dot or hole or button you can use to reset the machine. Once you reset it the first person ever to enroll is an administrator. ( I am not sure tho what happens to the access control configuration)
7- Mess with the time : you can use the SDK to set the time of the machine, it can come in handy if those machines are used to clock attendance in payroll
I am un-comfortable with the idea of more people trusting biometrics just because they sound complicated, have flashy marketing presentation and look like part of a movie scene.
The idea of people being able to compromise physical access after a 1 hour coding top is bit scary. The ugly thing about those machines is that they can not be security aware and i hope that this post shows how un-secure those systems are. Don’t fire your security guard yet!