Exactly how many people are using these banknotes for "fake fingerprints" with their phone?
The reason why you use your own fingerprint, and not a standardized hologram fingerprint from a Euro bank note, is so that only your fingerprint can unlock your phone for example. This whole advisory seems like one big troll. For example this: -- 5. [Truncated] An agent could for example save data variables in the biometric sign of the banknote to exfiltrate information. Note: Yeah they could also embed secret information anywhere else in the bank note, for example the micro-text, UV text, or probably even INSIDE the bank note. -- A lot of fingerprint readers are pretty bad and imperfect by design too. Mythbusters Fingerprint Bypass: https://www.youtube.com/watch?v=3Hji3kp_i9k Note: Look at the end where they used a photocopy on a piece of paper to bypass that particular lock. German Fingerprint Hack: https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands Master Fingerprints Hack: https://www.express.co.uk/life-style/science-technology/791055/smartphone-fingerprint-scanner-hacked-criminals-scan-data Hot Glue Fingerprint Mold: https://www.youtube.com/watch?v=kinq5nzY37c General flaws about fingerprints: https://globalnews.ca/news/3371112/smartphone-fingerprint-sensors-hack/ -------- Original Message -------- On February 2, 2018 7:56 PM, Ben Tasker <b...@bentasker.co.uk> wrote: >There's some detail in the Vulnerability magazine link, reproducing here so > there's a record > > We discovered an anomaly in the hologram section of the new printed 20€ & > 50€ banknotes. The security sign on the banknotes are produced with a > transparent film. In the middle of the new hologram of the 20 & 50€ > banknotes is a picture of a women and different fingerprint-like > structures. At the moment we noted the problem, we used a microscope to > look closer. > > After an internal discussion, that the security sign could maybe used for > biometrics authentication processes, we tested the hologram for usage on > different fingerprinter-scanners like asus pro laptop, eikon, samsung > galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed > using the hologram of the banknotes to fake a fingerprint which is accepted > by the fingerprint-scanner system. After that, the attacker is able to > relogin with the universal hologram. > > Finally, we were able to bypass the the biometric identification process of > the different devices. No system is able to identify, that the hologram is > not a real fingerprint. At the end, we figured out in the testing process > that the holograms can be used to add via write and auth via read. There > are now muliple problems in connection to the security issue. >1. Fingerprint - Reader & Writer (Mobile Devices) > > The end user devices like phones with fingerprinter sensors of > manufacturers like samsung, apple, huawei & co are permanently vulnerable > to this new type of attack. The sensor does not approve the reflection of > the hologram in the read and write mode. It interprets the security signs > as features of a real fingerprint. Thus results in an easy bypass using any > 20€ or 50€ banknotes after registration. To use an attacker only requires > to use his finger behind the hologram to bypass the fingerpulse check of > the idevice. All other mechanism are not accurate approving the content > during the sensor check. > > >2. Biometric Security in Europe > Each time the EZB produces more of the affected banknotes, the biometric > security in all over europe countries is generally weakened. In the near > future the EZB plans to inetrgate the holograms to any banknote (5€, 10€, > 100€ & Co.). This would be a crazy incident for all biometric systems using > a fingertip to authenticate because of any person is by now able to perform > those typ of attacks against an environment or service. > > >3. Fake fingerprints to go > Any person that has access to a system could use a hologram of a european > banknote to fake his fingerprint. Even the once which do not have the > expertise to fake it because in case of a publication, the government would > have to reckon with it. > > >4. Universal fingerprint as key > One time a hologram is written to a database, any attacker could use > another hologram of the same banknote series to bypass the security > mechanism to finally get access to the environment. Also administrators or > moderators are able to setup a universal fingerprint key to any dbms for > further entrance. > > >5. Save content in biometric signs or read data > The problematic could be used by security agencies to save data in the > biometric sign or to use them to get access to protected environments. An > agent could for example save data variables in the biometric sign of the > banknote to exfiltrate information. > > >6. Information in the hologram > In the special case of a fingerprint entry is generated by mathematical > variables with plain information, the content can be saved as plain-text > information to extract the binary information. The binary information of > the hologram fingerprint can then be decyphered by using different unknown > one-time pad keys. So the data of the fingerprint is translated to binary > code with a fingerprint device (open source) in plain-text. The plain-text > is then used to identify chiffre inside the security sign hologram. > >7. Save your Privacy > > At that point people can as well use the hologram to authenticate for a > system or to a mobile device. In case of a user do not want to save his > personal fingerprint to any untrusted device. Then they can by now use the > hologram to save a fingerprint to authenticate the full anonym way. > >8. Bypassing the biometric security with the help of banknotes > > Spread Exposition Exploitation Detection > LOW MODERATE MODERATE EASY > > Problem Description & Causes > Reference 1 has proved the biometric security of European bills for > counterfeiting a fingerprint in a PoC. > > Possible threat scenarios > >9. Avoiding person-related biometric backup in mobile devices, such as the > Apple iPhone, u.v.m. > >10. If necessary Falsification of the biometric identifiers of identity > documents. Fake ID documents can be sold on the black market with a one > time registered fingerprint. The number of copies and persons is irrelevant. > > Countermeasures: > >11. Generate Awareness among Manufacturers and Users of Smart Meter > Biometrics. > >12. Educate data feeders so that fingers are free of foreign matter (e.g., > glue, or the like) and checked. > >13. Organizational measures > > a) Review of existing biometric profiles on devices > b) Modify process of identification of biometrics > c) Check the biometric data for duplications in IT systems and databases > > > > My comments: > > The title is fairly misleading (or I've misunderstood the article). I > assumed this was actually some sort of weakness in the production of the > banknotes themselves (perhaps ineffective anti-counterfeiting measures...), > but it seems to be more that there's an embossed "fingerprint" which > various biometric readers will actually believe to be a real fingerprint > (and having your finger behind it will sort the pulse detection issues) > > The weakness, the theory goes, is that someone could register a > "fingerprint" in your system by using a banknote. This'd give them access > whilst also meaning you didn't at least have a hash of their real > fingerprint for forensics to find. > > Another theory is that users might opt to use a banknote instead of their > own fingerprint. I'm not quite sure what the likelihood of that is, in that > it's not exactly convenient, and if you're concerned about privacy > implications from a fingerprint scanner the best option is not to use it. > > What it does show (which is already known), is that commodity fingerprint > scanners remain easily fooled. So much so, that an "acceptable" > non-fingerprint is being accidentally mass produced and will soon be in the > pockets of millions of people. > > > > On Tue, Jan 30, 2018 at 2:18 PM, Jeffrey Walton noloa...@gmail.com wrote: > >>On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab >>resea...@vulnerability-lab.com wrote: >>> >>>Document Title: >>> >>>Banknotes Misproduction security & biometric weakness >>> ... >>>Technical Details & Description: >>> >>>In the last months we reviewed the new 20€ & 50€ Banknotes of the >>> European Central Bank. One of our core team researchers identified >>> that for the security sign of the holograms are different components in >>> usage. The security signs are build by the European Central >>> Bank with several high profile elements in the signs to ensure, that the >>> banknotes has a serious level of protection again fraud or >>> fake money. After processing some time to identify an impact, we were >>> finally able to identify the following security problematic ... >>>The details seem to be missing from the announcement and the website. >> >>Sent through the Full Disclosure mailing list >>https://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > > > > >Ben Tasker >https://www.bentasker.co.uk > > >Sent through the Full Disclosure mailing list >https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/