Synaptics Boldly Hacks Vulnerable Fingerprint Sensors To Underscore Need For End-To-End Encryption
We took part in an interesting demo this week that was both eye-opening and somewhat alarming. We met with representatives from Synaptics to discuss what we thought would be its latest sensor technology or HCI device, but were treated to a real-world hacking display that would leave most people slack-jawed. Why, you ask? Because in only a few minutes, an image of my fingerprint had been stolen and duplicated, and it was used to gain access to my smartphone (and a demo notebook), but it could have just as easily been a personal / corporate laptop or any other device with a fingerprint sensor.
Those unencrypted links are potential attack vectors for hackers.
To pull off this attack, Synaptics created a tiny device, consisting of about $25 worth of components that are readily available on-line, which sat between the fingerprint sensors and host on a couple of notebooks. That tiny device consisted of a micro-controller and Bluetooth transmitter, and was invisible to the host machine. What it did, in addition to capturing and transmitting the initial fingerprint data, was allow an attacker to remotely gain control of the compromised system by digitally injecting the fingerprint data (in what's called a replay attack), as if the correct finger had just been placed on the sensor. Over and above granting access to the compromised system, the physical, printed copy of our fingerprint was also used to gain access to our personal smartphone, by simply holding the printed fingerprint over the sensor and giving it a tap.
This type of attack would initially require physical access to a machine with a vulnerable fingerprint sensor, and the know-how to create the capture device, but in today’s day and age, we do not believe that is out of the realm of possibility. We should also mention that the device Synaptics devised didn’t require any soldering or complicated measures (besides gaining access to the system) to install. One on of the demo machines the capture device was simply connected in-line with the fingerprint sensor and on the other test pads were actually exposed on the motherboard, to which the device was attached. Pulling this off on a smartphone would be nearly impossible, because they are much harder to access, and have no room internally to hide an additional device, but it's easily doable on a notebook.
This is not the type of thing a random “h4X0r” strolling through a Starbucks is going to be able to pull off, but it’s not hard to imagine a determined hacker (or group of hackers) specifically targeting someone and devising a scheme to gain access to his or her machine, which in turn could potentially expose an entire enterprise’s network, and give the hackers the ability to spoof the target’s fingerprints for nefarious reasons.
Early this year, Synaptics began deploying SecureLink and PurePrint end-to-end security, which utilize TLS 1.2 and AES256 encryption, by default on its integrated PC fingerprint solutions, hence the demo. Synaptics also has proprietary technology that can help mitigate fingerprint spoofing, by detecting whether or not an actual finger is used on the sensor. When used together, the type of attack executed in our meeting wouldn’t have been possible.