Maybe you suspected this already, but researchers at MSU Computer Science just published a paper explaining just how easy it is to spoof a fingerprint scanner with a ink-jet printed scan of a finger.
We’re not talking about casting a new finger using superglue or anything, but rather using conductive ink you can literally print — on paper. A paper-printed-fingerprint that will unlock your smartphone. We’ve already told you fingerprints suck for security, but hopefully this drives the point home.
[Kai Cao] and [Anil K Jain] released this paper (Direct PDF link) outlining their technique. Using an existing scan of a fingerprint (which can be taken from your phone’s scanner), the image is mirrored, and then printed using a regular ink-jet printer, with all of its color cartridges replaced with AgIC4 silver conductive ink.
Continue reading “Finger Print Scanners Really Aren’t That Secure”
News comes from The Guardian that the iPhone 6 will break because of software updates due to non-authorized hardware replacements. Several thousand iPhone 6 users are claiming their phones have been bricked thanks to software updates if the home button – and the integrated TouchID fingerprint sensor – were replaced by non-Apple technicians.
For the last few iPhone generations, the TouchID fingerprint sensor has been integrated into the home button of every iPhone. This fingerprint sensor provides an additional layer of security for the iPhone, and like everything on smartphones, there is a thriving market of companies who will fix broken phones. If you walk into an Apple store, replacing the TouchID sensor will cost about $300. This part is available on Amazon for about $10, and anyone with a pentalobe screwdriver, spudger, and fine motor control can easily replace it. Doing so, however, will eventually brick the phone, as software updates render the device inoperable if the TouchID sensor is not authorized by Apple.
According to an Apple spokeswoman, the reason for the error 53 is because the fingerprint data is uniquely paired to the touch ID sensor found in the home button. If the TouchID sensor was substituted with a malicious TouchID sensor, complete and total access to the phone would be easy, providing a forehead-slapping security hole. Error 53 is just Apple’s way of detecting devices that were tampered with.
In fairness to Apple, not checking the authenticity of the touch ID would mean a huge security hole; if fingerprint data is the only thing keeping evil balaclava-wearing hackers out of your phone, simply replacing this sensor would grant them access. While this line of reasoning is valid, it’s also incredibly stupid: anyone can get around the TouchID fingerprint sensor with a laser printer and a bit of glue. If you ever get ahold of the German Defense Minister’s iPhone, the fingerprint sensor isn’t going to stop you.
This is a rare case where Apple are damned if they do, damned if they don’t. By not disabling the phone when the TouchID sensor is replaced, all iPhones are open to a gaping security hole that would send the Internet into a tizzy. By bricking each and every iPhone with a replacement TouchID sensor, Apple gets a customer support nightmare. That said, the $300 replacement cost for the TouchID sensor will get you a very nice Android phone that doesn’t have this problem.
One of the big problems in detecting malware is that there are so many different forms of the same malicious code. This problem of polymorphism is what led Rick Wesson to develop icewater, a clustering technique that identifies malware.
Presented at Shmoocon 2016, the icewater project is a new way to process and filter the vast number of samples one finds on the Internet. Processing 300,000 new samples a day to determine if they have polymorphic malware in them is a daunting task. The approach used here is to create a fingerprint from each binary sample by using a space-filling curve. Polymorphism will change a lot of the bits in each sample, but as with human fingerprints, patterns are still present in this binary fingerprints that indicate the sample is a variation on a previously known object.
Continue reading “Shmoocon 2016: GPUs and FPGAs to Better Detect Malware”
Opening a garage door by hand is a lot of work and a hassle, hence the advent of the garage door opener. Nowadays, some people may even say just pushing the button of a remote control requires too much effort. [nodcah] is one of those people so he came up with a fingerprint scanner that controls a pre-installed garage door opener. All kidding aside, it is a cool project that lets you into your garaage, keeps unknown people out and doesn’t require you to remember to carry a key or remote.
In the center of this project is an ATmega328 that runs a custom Arduino code. This ATmega328 is responsible for controlling a 16 character, 2 line LCD screen as well as communicate with an off the shelf fingerprint scanner from Sparkfun. The fingerprint scanner has a built in CPU, can store up to 20 fingerprints and does all its own processing of fingerprint scans. It then communicates to the ATmega328 with simple commands over serial Tx and Rx lines.
The ATmega328, LCD and fingerprint scanner are all mounted outside the garage in a 3D printed enclosure. If the wires for the internal-garage open/close button were just run straight into this outdoor module, anyone could open it up, short the wires and get into the garage. To prevent this, if the ATmega328 gets the ‘OK’ from the fingerprint scanner, then it sends a signal to an ATtiny85 that is inside the garage. If the ATtiny85 receives the correct signal, it will then actuate the garage door opener by shorting the open/close button contacts. This prevents anyone from sneaking into the garage.
[nodcah] did a great service to the community by making all of the part list, schematics, instructions and Arduino code available so anyone can easily put this project together.
Continue reading “Fingerprint Scanner Both Simplifies And Complicates Opening Garage Door”
We would be remiss if we didn’t mention that all of SparkFun’s open source hardware is now on Upverter.
Not wanting to tie up an iPad as a mini-gaming cabinet [Hartmut] hacked an Arcadi cabinet to use EUzebox instead.
Time travel happens in the bedroom as well. But only if you have your very own Tardis entrance. [AlmostUseful] pulled this off with just a bit of word trim and a very nice paint job. [via Reddit]
[Pierre] tricks an iPhone fingerprint scanner by making a replica out of hot glue.
Some of the guys from our parent company were over in Shanghai on business. [Aleksandar Bradic] made time to visit the Shanghai hackerspace while in town and wrote about the experience over on their engineering blog.
[Gregory Charvat] is a busy guy. In fact we’ve got a juicy hack of his saved up that we still need to wrap our minds around before featuring. In the mean time check out the Intern-built coffee can radar that he took over and tested on a multi-million dollar Spherical Near Field Range.
And finally, everyone loves coffee hacks, right? Here’s what [Manos] calls a Greek style instant coffee machine.
[Greg] sent in his biometric pistol safe lock. He keeps his guide light on details so not every Joe can crack the system (there is a thread to sift through if you really wanted to), but the idea runs fairly simple anyway. [Greg] took an old garage door opening fingerprint scanner and wired it into a half broken keypad based pistol safe. While he did have some issues finding a signal that only fired when the correct fingerprint is scanned, a little magic with a CMOS HEX inverter fixed that problem quick.
This does bring one question to our minds, are fingerprint scanners as easy to crack as fingerprint readers?
AU Optronics Corp has unveiled a new LCD panel that doubles as a fingerprint scanner. Each pixel is equipped with 4 optical sensors, so a 320×240 screen would have a scanning resolution of 640×480. They have also experimented with different sensors, such as UV. You can see an LCD panel that detects and displays the UV index above. Why did they use a secondary display to show the data though?