Your Noisy Fingerprints Vulnerable To New Side-Channel Attack

February 23, 2024 by 28 Comments

Here’s a warning we never thought we’d have to give: when you’re in an audio or video call on your phone, avoid the temptation to doomscroll or use an app that requires a lot of swiping. Doing so just might save you from getting your identity stolen through the most improbable vector imaginable — by listening to the sound your fingerprints make on the phone’s screen (PDF).

Now, we love a good side-channel attack as much as anyone, and we’ve covered a lot of them over the years. But things like exfiltrating data by blinking hard drive lights or turning GPUs into radio transmitters always seemed a little far-fetched to be the basis of a field-practical exploit. But PrintListener, as [Man Zhou] et al dub their experimental system, seems much more feasible, even if it requires a ton of complex math and some AI help. At the heart of the attack are the nearly imperceptible sounds caused by friction between a user’s fingerprints and the glass screen on the phone. These sounds are recorded along with whatever else is going on at the time, such as a video conference or an online gaming session. The recordings are preprocessed to remove background noise and subjected to spectral analysis, which is sensitive enough to detect the whorls, loops, and arches of the unsuspecting user’s finger.

Once fingerprint patterns have been extracted, they’re used to synthesize a set of five similar fingerprints using MasterPrint, a generative adversarial network (GAN). MasterPrint can generate fingerprints that can unlock phones all by itself, but seeding the process with patterns from a specific user increases the odds of success. The researchers claim they can defeat Automatic Fingerprint Identification System (AFIS) readers between 9% and 30% of the time using PrintListener — not fabulous performance, but still pretty scary given how new this is.

Memory Box Shows Photos Based On Fingerprint

February 13, 2024 by 2 Comments

With his young son’s birthday coming up in a few weeks, [Mike Buss] wanted to build him something fun that the boy could hold on to all his life. After doing some sketching, [Mike] arrived at the idea to make a memory box uses a fingerprint scanner to show different pictures based on the fingerprint.

[Mike] started by rendering the box in Blender and then cutting a sizable hole in the lid for the E-ink screen. That’s around the time the first problem came up — there were weird vertical lines in the display. Sure enough, that screen was broken. Then he added the SD card reader, but the SD card wouldn’t work, and was heating up besides. Finally, the fingerprint scanner was causing issues, but it turned out that the power supply was at fault.

After all of that, [Mike] switched from an ESP32 to a Raspi Zero W to simplify the whole process of finding a photo tagged with the person’s fingerprint. [Mike] added a Python script that listens for new memories over Wi-Fi. A memory in this case consists of a picture, a description, a list of people tagged in the picture, and some additional metadata.

One important lesson [Mike] learned was that of balancing planning vs. just taking action. If he had taken the time to consider the complexity of the tagged-photo retrieval system, he would have arrived at an SBC solution much sooner. Be sure to check out the build video after the break.

You can have all sorts of fun with fingerprint scanners, like this one that opens a secret bookcase door.

Continue reading “Memory Box Shows Photos Based On Fingerprint”

Hackaday Podcast Episode 246: Bypassing Fingerprint Readers Is Easy, Killing Memory Chips Is Hard, Cell Phones Vs Sperm

December 1, 2023 by No comments

It’s the week after Thanksgiving (for some of us) and if you’re sick of leftovers, you’re in luck as Elliot and Dan get together to discuss the freshest and best inter-holiday hacks. We’ll cue up the “Mission: Impossible” theme for a self-destructing flash drive with a surprising sense of self-preservation, listen in on ET only to find out it’s just a meteor, and look for interesting things to do with an old 3D printer. We’ll do a poking around a little in the basement at Tektronix, see how easy it is to spoof biometric security, and get into a love-hate relationship with both binary G-code and bowling balls with strings attached. What do you do with a box full of 18650s? Easy — make a huge PCB to balance them the slow way. Is your cell phone causing a population crisis? Is art real or AI? And what the heck is a cannibal CME? Tune in as we dive into all this and more.

Check out the links below if you want to follow along, and as always, tell us what you think about this episode in the comments!

Where to Follow Hackaday Podcast

Places to follow Hackaday podcasts:

Grab a copy for yourself if you want to listen offline.

Continue reading “Hackaday Podcast Episode 246: Bypassing Fingerprint Readers Is Easy, Killing Memory Chips Is Hard, Cell Phones Vs Sperm”

This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints

December 1, 2023 by 18 Comments

We’re back! And while the column took a week off for Thanksgiving, the security world didn’t. The most pressing news is an issue in Owncloud, that is already under active exploitation.

The problem is a library that can be convinced to call phpinfo() and include the results in the page response. That function reveals a lot of information about the system Owncloud is running on, including environment variables. In something like a Docker deployment, those environment variables may contain system secrets like admin username and password among others.

Now, there is a bit of a wrinkle here. There is a public exploit, and according to research done by Greynoise Labs, that exploit does not actually work against default installs. This seems to describe the active exploitation attempts, but the researcher that originally found the issue has stated that there is a non-public exploit that does work on default installs. Stay tuned for this other shoe to drop, and update your Owncloud installs if you have them. Continue reading “This Week In Security: Owncloud, NXP, 0-Days, And Fingerprints”

Easily Bypass Laptop Fingerprint Sensors And Windows Hello

November 27, 2023 by 30 Comments

The fun part of security audits is that everybody knows that they’re a good thing, and also that they’re rarely performed prior to another range of products being shoved into the market. This would definitely seem to be the case with fingerprint sensors as found on a range of laptops that are advertised as being compatible with Windows Hello. It all began when Microsoft’s Offensive Research and Security Engineering (MORSE) asked the friendly people over at Blackwing Intelligence to take a poke at a few of these laptops, only for them to subsequently blow gaping holes in the security of the three laptops they examined.

In the article by [Jesse D’Aguanno] and [Timo Teräs] the basic system and steps they took to defeat it are described. The primary components are the fingerprint sensor and Microsoft’s Secure Device Connection Protocol (SDCP), with the latter tasked with securing the (USB) connection between the sensor and the host. Theoretically the sensitive fingerprint-related data stays on the sensor with all matching performed there (Match on Chip, MoC) as required by the Windows Hello standard, and SDCP keeping prying eyes at bay.

Interestingly, the three laptops examined (Dell Inspiron 15, Lenovo ThinkPad T14 and Microsoft Surface Pro X) all featured different sensor brands (Goodix, Synaptics and ELAN), with different security implementations. The first used an MoC with SDCP, but security was much weaker under Linux, which allowed for a fake user to be enrolled. The Synaptics implementation used a secure TLS connection that used part of the information on the laptop’s model sticker as the key, and the ELAN version didn’t even bother with security but responded merrily to basic USB queries.

To say that this is a humiliating result for these companies is an understatement, and demonstrates that nobody in his right mind should use fingerprint- or similar scanners like this for access to personal or business information.

Secret Bookshelf Door Uses Hidden Fingerprint Scanner

May 30, 2023 by 4 Comments

What is it that compels us about a secret door? It’s almost as if the door itself and the promise of mystery is more exciting than whatever could lay beyond. In any case, [Scott Monaghan] is a lover of the form, and built his own secret door hidden in a bookshelf, as all good secret doors should be.

The door is activated by pulling down on the correct book. This then reveals a fingerprint scanner. Upon presenting the right digit, the door will elegantly swing open to reveal the room beyond. Secret door experts will note there’s an obvious tell due to the light spilling through the cracks, however [Scott] reports that the finishing stages of the build solved this issue. The door was also fitted with a manual release for easier daily use.

Details are light, but the basics are all there. Really all you need is a cheap hardware store door opener, a secret activation lever or authentication method, and a well-hinged bookcase to achieve this feat yourself. We’ve seen some other great secret doors before, too. Video after the break.

Continue reading “Secret Bookshelf Door Uses Hidden Fingerprint Scanner”

PUF Away For Hardware Fingerprinting

April 17, 2023 by 9 Comments

Despite the rigorous process controls for factories, anyone who has worked on hardware can tell you that parts may look identical but are not the same. Everything from silicon defects to microscopic variations in materials can cause profoundly head-scratching effects. Perhaps one particular unit heats up faster or locks up when executing a specific sequence of instructions and we throw our hands up, saying it’s just a fact of life. But what if instead of rejecting differences that fall outside a narrow range, we could exploit those tiny differences?

This is where physically unclonable functions (PUF) come in. A PUF is a bit of hardware that returns a value given an input, but each bit of hardware has different results despite being the same design. This often relies on silicon microstructure imperfections. Even physically uncapping the device and inspecting it, it would be incredibly difficult to reproduce the same imperfections exactly. PUFs should be like the ideal version of a fingerprint: unique and unforgeable.

Because they depend on manufacturing artifacts, there is a certain unpredictability, and deciding just what features to look at is crucial. The PUF needs to be deterministic and produce the same value for a given specific input. This means that temperature, age, power supply fluctuations, and radiation all cause variations and need to be hardened against. Several techniques such as voting, error correction, or fuzzy extraction are used but each comes with trade-offs regarding power and space requirements. Many of the fluctuations such as aging and temperature are linear or well-understood and can be easily compensated for.

Broadly speaking, there are two types of PUFs: weak and strong. Weak offers only a few responses and are focused on key generation. The key is then fed into more traditional cryptography, which means it needs to produce exactly the same output every time. Strong PUFs have exponential Challenge-Response Pairs and are used for authenticating. While strong PUFs still have some error-correcting they might be queried fifty times and it has to pass at least 95% of the queries to be considered authenticated, allowing for some error. Continue reading “PUF Away For Hardware Fingerprinting”