Security is not in your fingerprint.
How I bypassed biometric security using Flipper Zero
Note
For reasons beyond my control, this article has some pixelated photographs.
This is the English version of the original article in Spanish which you can find at the following link (puedes encontrar una versión en español en el siguiente enlace):
https://gabimarti.medium.com/la-seguridad-no-est%C3%A1-en-tu-huella-dactilar-76bb1d1e7782
Preface
Any security and/or control system must have measures adjusted to the environment. I say this because what I am going to describe here, despite having certain shortcomings, does not mean that it is not secure, taking into account its environment and scope.
This is why what follows is not about an authentication process, but about an identification process.
However, it is useful to be aware of the weaknesses of these mechanisms in order to know what we are facing or should be aware of in the event of a situation that is not foreseen by all the mechanisms involved in the identification process.
Access control
For some time now I have had to access a building using an access card. A simple, white card, unmarked anywhere except for a small number in the bottom corner.
A number of very few digits that made me intuit that it had something to do with my internal identification.
As soon as I had the card, I was curious to see if I could read its contents. The only thing I had at hand at the time was my Android smartphone with NFC. So I activated the NFC reader and tried to read it. Result? No read.
After further research, there was a possibility that it was RFID 125Khz as it is a type of card widely used in identification systems. I could not verify this possibility with certainty, as I did not have a reader of this frequency.
This card was the only safe-conduct I needed to open the building’s entry/exit control barriers.
The only control at user level that the system has is that if a user has already entered the building, the barriers are not opened from the outside, as the user is already registered inside the building, and vice versa.
The Flipper Zero
After a while, the day came when I received my Flipper Zero.
After testing the different reading modes, the result was quick and easy. It was confirmed that the card was RFID 125Khz, widely used in access control systems, and with practically zero security, unless there is some other verification system behind it (in the backend). Its low frequency makes it highly resistant to interference and suitable for industrial environments, which means that it is widely used. But I am not going to go into the physical details, nor the signal details.
The important thing here is to know what data it stores, and how.
Security
As I said, there is zero security on this type of card. Flipper Zero reads all the content, and can be re-emulated (or cloned) using this as the identification device instead of the card.
Cloning the card is not difficult at all, and allows to have an additional access device or even to be able to transfer the identification data onto a recordable key fob working on the same frequency.
These key fobs and/or cards can also be found under the name of “TAGS” or “Transponders”, which is actually, to put it very simply, a chip with a small antenna that is activated when it receives a signal from the reader and sends the information it contains.
One thing must be clear: these devices are “identification” elements, not “authentication” elements, so we have no security. For there to be security, other non-existent factors would have to come into play.
These chips / antenna simply have a registered identifier (a number) and when receiving the reader’s signal, the antenna only emits this identifier.
The EM4100 chip
Before we move on to see what was on my ID card, let’s take a look at what the card stores.
The card contains (presumably) an EM4100 chip which is read-only. That is, it comes from the factory with a pre-recorded identifier. This identifier is stored in a 64-bit memory. That is, 8 bytes. But of these bits, there are 9 header bits that are always set to 1. Then we have 8 bits of version identifier. And for every 4 data bits, a parity bit is added, and finally there are 4 parity bits per column with a final stop bit set to 0. So finally, we are left with 32 bits for data, which would be 8 hexadecimal digits, as this is how Flipper Zero is going to show it to us.
In reality, the information stored in Flipper Zero discards all header, parity and final bits. This is only part of the sending protocol and therefore only stores 5 bytes (40 bits). The first 8, as indicated in the schematic, indicate version or client, and will depend on the system. In this case they are always zero (00), and the next 4 bytes (32 bits) are the ones we are interested in, our identifier.
So, in Flipper Zero, it shows us something similar to what you see in the following image. For this I am going to put some example values so that it is better understood.
The hexadecimal values displayed by the readout were as follows:
[ 00:4F:B1:00:00:40 ]
On the other hand, the numbering on the card (always speaking of hypothetical values) was “1337”.
How are they similar?
Well, if we take the hexadecimal value and convert it to decimal, we obtain the following result:
[ 1.337.000.000 ]
That is, “one billion three hundred and thirty-seven million”. In other words, the number printed on the card, which corresponds to the user’s identification, is multiplied by one million and stored on the chip. For ease of use, Flipper Zero displays the bytes in hexadecimal.
So, it is easy to think that if we know someone else’s card number, it is feasible to calculate the value to store from an RFID TAG and create an access card to impersonate that person’s identity, isn’t it? It is indeed possible, but you will have to read to the end. 😎
The fingerprint
Suddenly, one day they tell you: “We are going to eliminate ID cards and access to the building will be by fingerprint from now on”.
In other words, the access control, or in other words, the identification system, will be biometric.
Normally, indicating that there is a biometric control is always associated with increased security, and this is (or should be) the case if other parts of the process are changed as a whole.
But in this case, it is not. 😏
So, the moment came when they had to take my fingerprint and register it in the system.
Shoulder Surfing
Have you heard of this term? it does mean looking at data, details, things… when people type on their computer, mobile phone, device, etc., without them realising it. This method is part of one of the many techniques included in social engineering.
And therein lies the security of many processes.
When I had to have my fingerprint registered, an operator took my fingerprint on the same device that is used to identify you when you enter the building. In this case, the device itself displays a menu with different options and you have to repeat different fingerprint captures and recordings. This meant that the operator had to enter and repeat a code multiple times. Each time it was the same.
I looked at that code and memorised it. As you can imagine, that code was the one associated with my fingerprint, and it is actually the internal code that the system responds to.
Put your finger or put your card?
This whole story came about because I didn’t really feel like putting my finger in contact with a surface where thousands of fingers pass by every day (just me 😒) if I could avoid it.
And my goal was to check if the code that was supposedly associated with the fingerprint could also be sent through the RFID reader.
I could not record a new card, but I could record a TAG like the one shown above or send the information from the Flipper Zero itself. I just had to edit the information in my Flipper Zero with the appropriate values.
The next time I had to go through the access barrier, instead of putting my fingerprint, I used the Flipper Zero to send this information, and it worked!!!! 😏
In fact, that was the first login. I never used my fingerprint to access the facility. The only time my fingers touched that device was at the time of fingerprint registration.
Impersonating another identity?
It is clear from this point that, in this case, the fingerprint is not a better identification measure, since it is associated with an identifier that is just as short and unsecured as the one stored on the card, because reading the code from the RFID reader is accepted.
Therefore, in the same way that I can use my fingerprint code and copy it onto a small TAG, I could also generate other codes and gain access to the building by impersonating someone else. What is worse, the access control of that building, when reading a correct code, displays on the screen the name and surname of the person accessing the building.
But is this easy to do?
I can answer this question in the affirmative with a resounding
YES, IT IS POSSIBLE!
Generating identifiers
Knowing beforehand what my current identifier is, and knowing the one I had before, I can guess in which range of values the identifiers used in the company move.
So, the first thing to do is to generate and save a list of possible candidates in a text file. That is, a list of possible identifiers likely to be correct.
As I don’t want them to be continuous values either, because sometimes randomness brings us closer to a successful result, I’m going to create a generator where I give a starting value, a final value and a random jump between values.
I could also set continuous values and, in fact, the code supports this, but this way I reduce the number of identifiers to test.
Doing this in a language like Python is a matter of a few lines of code. In fact, doing it in another language, like C, would be almost a “carbon copy”, but now Python is all the rage 😉
Sorry. The code is not translated but it is easily understandable.
This script generates a list of possible identifiers, which we just have to dump into a text file and place inside Flipper Zero.
Fuzzing
Fuzzing is a software testing technique consisting of providing invalid, unexpected or random data to input interfaces to check whether the routines detect erroneous input. In this case, it could also be more akin to an attempt at brute-force identification by providing a dictionary of values to be tested. I mention fuzzing because the plugin I used in this case is called RFID Fuzzer.
Once this file is placed with the list of identifiers to test, we launch the plugin that will read the identifiers from this file and send them one by one to the reader until it detects a valid identifier and opens the barrier.
As the list has a high probability of valid codes, we will see the result in a few seconds.
No pictures of the moment, sorry. 😏
Conclusion
It remains to be seen whether this whole system can be improved (probably) and to apply some corrections. On the one hand, protocol aspects could be improved at user level, and on the other hand, at identifier level, other measures could be added such as control digits, which I understand would imply changes in the software that reads and receives the data from these readers, and which I don’t know in its entirety.
At this point, I have yet to make my own plugin for Flipper Zero, which I’ll leave for another time.
In the meantime, remember one thing: “The danger is not in the knife but in the hand that wields it”.
