Stealing your Master Key: Unsafe Fingerprint Sensors
May 18, 2017
By Godfrey Cheng
People are now conditioned to believe that fingerprints are unique and are much safer than passwords. In many ways, this is true. But what is less well-known is a notebook manufacturer’s choice in fingerprint sensors can potentially lead to the theft of your fingerprint image, giving the thief the master-key to all your devices and your company enterprise.
There are two types of fingerprint sensors in the notebook market today: those that are encrypted and safe, and those that are unencrypted and unsafe. If you are unfortunate to have purchased a machine with an unencrypted sensor, you are opening yourself up to getting your fingerprint image and master-key stolen. Unlike passwords, once your fingerprint image is stolen, you cannot change your fingerprints.
What can a thief do with an unencrypted fingerprint image? They can create spoofs, or fake images of your fingerprint using nothing more than a $200 inkjet printer. With these spoofs, they can gain access to not only the notebook from where your fingerprint image was stolen, but also all the personal texts and pictures on your phone. Don’t forget, if your notebook is connected to your company’s network, you have also given access to your company’s trade secrets and other confidential information. This is the age of BYOD (bring your own device) and IT security professionals should take notice.
More insidious than creating physical printed fingerprint spoofs, a thief can also gain access to your notebook anytime they want through something called a Replay Attack. Whatever access level the compromised user has is now available to the thief. A compromised IT Administrators account, for example, would have broad company server access. With a stolen fingerprint image, you can inject or replay the image back into the computer to unlock it. Your computer would not be able to tell the difference between the stolen replay image and a real finger. Once thieves can replay the fingerprint image, they can unlock the computer remotely and get full access to your data and all its corporate network access services. This attack method can be expanded to power control circuitry allowing a thief to power on the system at will remotely and turn it off without anyone noticing.
In Figure 1, at the top is the victim PC (any PC with an unencrypted fingerprint sensor) and the bottom is the hacker PC (any Bluetooth enabled PC can be used). The hacker PC wirelessly sniffs the unencrypted fingerprint image from the victim PC. The hacker PC now has a permanent image of a person’s fingerprint.
The hacker PC can now perform two different operations. It can resend the captured fingerprint data back to the victim PC and unlock the computer remotely. It can also send the fingerprint image to a printer, where using an off-the-shelf printer and conductive ink, a hacker can create a “master-key” and access the victim computer -- or the victim’s phone, without ever touching the phone until the actual hack.
How can you prevent this? Use encrypted fingerprint sensors. Demand that your notebook manufacturers use encrypted fingerprint sensors. Synaptics has been shipping encrypted fingerprint sensors for years and has also introduced a suite of security features called SentryPoint where we encrypt the lines between the sensor and computer host, amongst other security features. Demand that your notebook manufacturer use an encrypted sensor from Synaptics or even another vendor. Using an unencrypted fingerprint sensor is an exposed danger that can easily be exploited and can be easily avoided.
Not all encryption is the same. It is important to demand FULL encryption from sensor to host. This issue arises because some notebook manufacturers are choosing to use cheap unencrypted phone fingerprint sensors and connecting it to a notebook through a microcontroller. This is unsafe, even if the link from the microcontroller to the host is encrypted. Encryption is only as strong as its weakest link. Any unencrypted segment of wiring is vulnerable. The link between the encrypted fingerprint sensor and microcontroller is vulnerable to the attacks described above.
Why are some notebook manufacturers using unencrypted phone sensors and potentially jeopardizing your privacy and company security? Because the sensors are cheap and designed only to be used in phones. Phones today are waterproof and extremely hard to open. Unlike PCs, smartphones are also typically in a person’s possession at all times. Phones can depend on physical security to protect the sensor. But notebooks are different. Notebooks are often left on the desk at home, in the car, at the office, and on a public coffee shop table. You can easily get access to the internals of a notebook casing in just a few minutes. Security components for phones should not be used in notebooks because the security and usage models are different.
Thieves and hackers always focus on the improbable as the obvious exposures are closely watched. Intel and Microsoft are both working hard to protect data once it is inside the host environment. SSDs are encrypted. Even the BIOS is now secured. This leaves any unencrypted sensor as a vulnerability. This includes any biometric sensor that passes unencrypted images. Fingerprint sensors are just the start. There must be concerted effort to encrypt all biometric sensors.
At Synaptics, we have a suite of security features for our fingerprint sensors called SentryPoint. The foundation of these security features is SecureLink, which enables a strong TLS 1.2 / AES-256 encryption all the way from the sensor to host – this is a critical differentiator. But we also have technologies like PurePrint that can detect real fingers and fake fingers... aka spoofs. As part of our modular software architecture, we have the ability to update our PurePrint drivers to include new threats as them come along. We are just now starting to ship our PurePrint enabled driver. Finally, if you want the most hardened security solution, we have our industry unique Match-in-Sensor technology where the fingerprint template is securely matched on our sensor silicon itself – this limits the data transfer to the host as a simple yes/no communication. Even then, the match result is also encrypted. If a notebook manufacturer chooses our fingerprint sensors with our SentryPoint technologies, the likelihood of success for the attacks described above is greatly lowered.
Many of our customers are already shipping fully encrypted fingerprint sensors and have done so for years. Some are even choosing to go even with a higher level of hardened security with adoption of both our encryption technologies and our Match-in-Sensor technologies. This year, we have already started shipping our PurePrint anti-spoof technologies as part of our drivers to defend against the spoofing of fingerprints.
We purchased our demonstration PC notebooks in retail stores that use unencrypted smartphone sensors. Over the past two weeks, we have been demonstrating in real-time how easy it is to steal fingerprint images. In five minutes, we can steal your fingerprint and get full access to your notebook and company network. In less than 20 minutes, we can steal your fingerprint, create a spoof and get access to your texts, pictures and data on most major phones.
Join us: We will be demonstrating this security vulnerability and its resolution at Computex Taipei to press and customers, May 30th to June 3rd. For an appointment, contact David Hurd or your sales representative.