Synaptics Boldly Hacks Vulnerable Fingerprint Sensors To Underscore Need For End-To-End Encryption

fingerprint sensors

We took part in an interesting demo this week that was both eye-opening and somewhat alarming. We met with representatives from Synaptics to discuss what we thought would be its latest sensor technology or HCI device, but were treated to a real-world hacking display that would leave most people slack-jawed. Why, you ask? Because in only a few minutes, an image of my fingerprint had been stolen and duplicated, and it was used to gain access to my smartphone (and a demo notebook), but it could have just as easily been a personal / corporate laptop or any other device with a fingerprint sensor.

It turns out, Synaptics was in the area to promote its SentryPoint technology, which offers end-to-end security for fingerprint authentication. What’s happening today, in what is usually a cost-saving measure, is that PC OEMs are using small, fingerprint sensors designed for the smartphone space, on their notebooks. The problem is, in the vast majority of the designs, the link (or links) between that fingerprint sensor and the host machine are not always encrypted.

synaptics sentry point 2

Those unencrypted links are potential attack vectors for hackers.

What Synaptics did during the demo was essentially a sophisticated man-in-the-middle type of attack, that captured the data from the fingerprint sensors on two, commercially available notebooks, and wirelessly transmitted that data to another machine, where it was used to create a physical “copy” of our fingerprint. That “copy”, however, was nothing more than a small image printed on photo paper using an off-the-shelf inkjet printer outfitted with common conductive ink.

vulnerable sensor
The Compromised Sensor That Got Me...

To pull off this attack, Synaptics created a tiny device, consisting of about $25 worth of components that are readily available on-line, which sat between the fingerprint sensors and host on a couple of notebooks. That tiny device consisted of a micro-controller and Bluetooth transmitter, and was invisible to the host machine. What it did, in addition to capturing and transmitting the initial fingerprint data, was allow an attacker to remotely gain control of the compromised system by digitally injecting the fingerprint data (in what's called a replay attack), as if the correct finger had just been placed on the sensor. Over and above granting access to the compromised system, the physical, printed copy of our fingerprint was also used to gain access to our personal smartphone, by simply holding the printed fingerprint over the sensor and giving it a tap.

spoof print
The Spoofed Fingerprint -- Blacked Out And Photoshopped, Of Course

This type of attack would initially require physical access to a machine with a vulnerable fingerprint sensor, and the know-how to create the capture device, but in today’s day and age, we do not believe that is out of the realm of possibility. We should also mention that the device Synaptics devised didn’t require any soldering or complicated measures (besides gaining access to the system) to install. One on of the demo machines the capture device was simply connected in-line with the fingerprint sensor and on the other test pads were actually exposed on the motherboard, to which the device was attached. Pulling this off on a smartphone would be nearly impossible, because they are much harder to access, and have no room internally to hide an additional device, but it's easily doable on a notebook.

synaptics sentry point 112

This is not the type of thing a random “h4X0r” strolling through a Starbucks is going to be able to pull off, but it’s not hard to imagine a determined hacker (or group of hackers) specifically targeting someone and devising a scheme to gain access to his or her machine, which in turn could potentially expose an entire enterprise’s network, and give the hackers the ability to spoof the target’s fingerprints for nefarious reasons.

Due to the complexity of this type of attack, some PC OEMs believe it to be extremely unlikely to happen, and as such, haven’t made the decision to actively push for full, end-to-end encryption of the fingerprint authentication devices in their systems. We think everyone would agree an attack like this is unlikely, but it is entirely possible, especially when you consider how easily even common street criminals are able to obtain credit card skimmers and RFID capture devices to steal credit card and other personal information.

synaptics sentry point 3

Early this year, Synaptics began deploying SecureLink and PurePrint end-to-end security, which utilize TLS 1.2 and AES256 encryption, by default on its integrated PC fingerprint solutions, hence the demo. Synaptics also has proprietary technology that can help mitigate fingerprint spoofing, by detecting whether or not an actual finger is used on the sensor. When used together, the type of attack executed in our meeting wouldn’t have been possible.

With the use of fingerprint sensors on the rise, we agree with Synaptics’ message. A sophisticated attack like this would be difficult to pull off. But not impossible. And considering the damage that could be done with unfettered access to a system, not to mention a literal copy of someone’s fingerprints, we hope OEMs listen and make the proper moves to ensure their customers’ security.