In a bid to demonstrate the advantages of its latest-generation SentryPoint fingerprint solutions, at this year’s Computex event Synaptics came with a very interesting demonstration for breaking into a PC. By taking advantage of flaws in a fingerprint sensor implemented without end-to-end encryption, the company was able to showcase just how easy it is to hack into a PC using such a sensor. The ultimate purpose of course being to promote their own wares: the company says that its latest fingerprint solutions for PCs (as of late 2016) not only use end-to-end encryption, but can process the data in secure environments such as those enabled by the Intel SGX and Microsoft Windows 10 VBS.
Fingerprint-based security used to be exotic on consumer devices just 15 years ago, and for many cases was considered a stronger method than passwords. Today, fingerprint sensors are ubiquitous and widely are used on mainstream mobile devices. On the one hand, this strengthens security overall and enables new kinds of services (e.g., Apple Pay). On the other hand, pervasive usage of fingerprint sensors makes it excessively appealing to perpetrators to use them as a way to hack into someone’s computers and gain access to personal or professional data. As a result, the right implementation of fingerprint sensing and data processing becomes critical. As it appears, not all laptops available today are equipped with the right sensors and the right software.
To demonstrate how relatively easy it is to hack into a laptop featuring an unencrypted fingerprint sensor, Synaptics did the following:
- Took a notebook with an unencrypted sensor and installed a device featuring two chips and a transmitter on a flexible PCB, which intercepted samples of fingerprints and transferred them via Bluetooth to another computer. That device could not be seen from the outside and it had no impact on performance of the compromised PC.
- Asked a volunteer victim to enroll their fingerprints into a compromised laptop.
- Intercepted them.
- Printed a copy of those fingerprints using conductive ink on a slip of paper.
- Attacking devices that didn’t support anti-spoofing capabilities, Synaptics used these papers to hack into a personal, uncompromised laptop and phone of the victim.
- Used the “replay” capability of the device to remotely hack into the compromised notebook without even touching it.
Below, are two videos depicting culmination of the actions. For an obvious reason we do not publish images of the devices installed, brands, models and other information of this sort. The demonstration was done in a bid to showcase the risk of unencrypted sensors and the results are obvious.
The Weakest Links
While fingerprint sensors are easy to use, their implementation is a complex architecture that has various weak spots. Below is a block diagram of Synaptics’ most advanced implementation of its SentryPoint fingerprint sensor-based security architecture, outlining how everything works: a sensor collects a sample of a fingerprint, transfers that data to the host (or to a Match-in-Sensor, MiS), which performs matching and generates master key to give access to the system. Meanwhile, the architecture of a cheap fingerprint authentication solution will look similar, but does not use an MiS, end-to-end encryption, spoof protection, or secure matching, leaving several areas where such a system is potentially vulnerable.
The sensor itself. If someone manages to obtain someone else’s fingerprint and then present it to the sensor, it is possible that the system accepts it. There are plenty of YouTube videos when a phone accepts forged fingerprints made using gummy bears, glue and other things like that. A more reliable method is to print a fingerprint using an inkjet printer and conductive ink, but the principle is essentially the same: spoof a fingerprint. At a public level, this is the best understood attack, and perhaps the easiest to pull off since we leave our fingerprints everywhere.
One of the reason why the chewing gum/conductive ink jet printer hacks work is because sensing hardware/software almost never stores the image of an actual fingerprint, but keeps an abstract/hash of its distinctive features (they are called minutiae) in a proprietary format. Once a new fingerprint sample is applied/collected, the hardware/software compares minutiae, not the images. There are multiple reasons for this, including security and practical implications. Even if the proprietary format is hacked, it is impossible to reconstruct a fingerprint out of an abstract/minutiae and thus gain access to other devices that may use a different sensor with a different algorithm to collect minutiae. While fingerprints of one person remain the same throughout their lifetime, their high-res images change because of small cuts, micro chaps, etc. making everything harder to process and/or just not letting a legitimate person with a cut in.
The interconnection between the sensor and the host. If someone manages to gain physical access to a PC that is to be hacked, they can install a tiny device that intercepts the data that its fingerprint sensor sends to the host, and then transfer that data via Bluetooth to another device that belongs to the perpetrator. This essentially allows an attacker to acquire a direct fingerprint scan of the victim. There is an obvious problem with this kind of man-in-the-middle attack. First, the offender must gain physical access to their victim’s PC, which is not easy, but possible if a group of people is involved, or someone just has appropriate skills. Second, the offender must know exactly what kind of sensor is used and what kind of intercepting device to install (with SPI or USB interface). In the worst-case scenario, this means that they need to have physical access to their victim’s PC two times. In their demo, specialists from Synaptics used a cheap tool installed into a PC and and copied fingerprint images that were used to gain access to various devices afterwards.
There are multiple laptops on the market that use SPI-based sensors intended for mobile phones and do not support encryption, according to Synaptics. Such sensors are a bit cheaper, but since the SPI bus is intended for short distances and thus has trace length restrictions, PC makers use a microcontroller that converts SPI to USB. And while everything may be encrypted from USB and onwards, the SPI part of the connection is unprotected and thus is vulnerable. Meanwhile, such man-in-the-middle attack can be prevented by using sensors that rely on the USB bus and support TLS 1.2/AES-256 encrypted connection to the host. Obviously, SPI sensors used in smartphones and tablets can still be vulnerable, but intercepting tools cannot easily be installed into the former (due to dimensions), whereas the latter will have to use USB-based sensors in a bid to become more secure.
The host system itself. Fingerprint authentication solutions on the PC perform fingerprint matching differently. Most belong to the match-on-host (MoH) category, and perform matching during a process that runs on the host system. The key advantage of MoH solutions is their flexibility: different readers, controllers, software, and even special ICs that match fingerprint readers to templates can be used. The obvious peculiarity of MoH is usage of multiple connections. Moreover, when the CPU (or a special matching IC) processes fingerprints and calculates the master code, it deals with an actual fingerprint image (or its abstract). Therefore, if a sniffer software is installed (by infecting a PC with a virus, for example), the perpetrator can gain both the fingerprint and the master code. The latter may be used to access a particular PC and the former can be used to access all other fingerprint-secured devices belonging to that victim. The takeaway here is plain and simple: in a bid to be completely secure, MoH fingerprint solutions need to be end-to-end encrypted using an AES-256 (or similar) key that cannot be decrypted.
There are also fingerprint authentication solutions that use the Match-in-Sensor (MiS) architecture, which performs all the necessary operations within the sensor IC. An MiS IC contains a microprocessor, storage, and cryptographic capabilities, and consequently physically isolates matching from the host OS. The MiS sends an identification result that is encrypted and signed using a sensor-specific key.
What is quite scary in this scenario is that once the fingerprint images are intercepted (it does not matter where they were grabbed: on the host system while they were processed or while they were transferred using an unprotected SPI or USB connection), perpetrators can perform the so-called replay attacks and gain access to the compromised PC even without touching it by simply “inserting” stolen data using the device that was used to steal them.
Being one of the world’s largest suppliers of fingerprint solutions, Synaptics has a number of ways to prevent the aforementioned kinds of attacks. The key point that the company is trying to make is the fact that one technology is not enough if someone wants a truly secure laptop – fingerprint authentication systems need to be hardened agained multiple types of attacks.
First off, many of Synaptics’ modern SentryPoint fingerprint sensors support the company’s PurePrint anti-spoofing tech, which ensures that the sensor is dealing with a real finger and not a fake. Interestingly, PurePrint is not a hardware component, so Synaptics can make it better over time by updating the SentryPoint drivers. For example, the PurePrint was recently enabled on add-on USB fingerprint accessories from PQI and Kensington using Microsoft’s Windows Update.
Second, currently shipping fingerprint solutions from Synaptics support hardware-based SecureLink encryption technology that uses TLS 1.2/AES-256 keys and thus cannot be hacked in real-time. One of the issues is that some PC makers have limitations that prevent them from using line encryption, so, not all Synaptics-based fingerprint authentication solutions are actually encrypted. Therefore, make sure you know how your fingerprint technology works before buying a new laptop if you carry sensitive data.
Next up is Synaptics Quantum Matcher technology, which performs fingerprint matching in secure environments backed by Intel’s SGX or Microsoft’s Windows 10 VBS. Since the latest notebooks are based on Intel’s Kaby Lake CPUs, chances are high that their firmware has SGX enabled. Quantum Matcher is also a component of Synaptics’ driver, so it can be updated over time if the company finds it necessary.
The most secured option that Synaptics has to offer now is the company’s Match-in-Sensor fingerprint hardware. Since it is a sealed solution, it doesn’t always provide enough freedom for notebook designers, which is why it’s not used everywhere despite the fact that Synaptics first introduced MiS almost two years ago. At present, the company is working on its second-generation MiS that promises to improve security even further. In any case, MiS provides the ultimate level of security within Synaptics’ product portfolio, and when combined with other SentryPoint components (e.g., PurePrint) it is designed to allow for virtually unbreakable laptops.
The usage of biometric security will only get more popular as the cost of sensors further drops in price, and because factors like fingerprints or retina images are extremely convenient to use for authentication. You can’t forget your fingerprint, and you can’t misplace your iris. Meanwhile, hacking tools and other attack methods will get more sophisticated going forward, so companies like Synaptics will have to make their technologies more advanced. It is hard to imagine biometrics being anything other than a continual arms race, in that respect.
The big concern in the present is that the manufacturers of PCs, smartphones, and tablets do not consistently advertise what kind of fingerprint authentication solutions they use, and consequently you never know what exactly you are buying and how secure it is. If you are using a corporate PC acquired by your company’s IT department, you can assume that the fingerprint authentication is sound (i.e., it has encrypted connection and supports anti-spoofing capabilities). But if you are getting your own laptop along with a phone and tablet, you can barely be sure what’s inside unless you read a product review that touched upon fingerprint hardware.
In the end, in addition to sophisticated fingerprint hardware, manufacturers of PCs need to change their attitude and communicate their security mechanisms to their customers. Then again, too many disclosures make computers more vulnerable to targeted attacks, which is part of the reason why Synaptics does not reveal the list of notebooks that do or do not use its end-to-end encrypted MoH or MiS solutions.