

Hacking fingerprint readers - mattaereal
http://blog.infobytesec.com/2014/07/perverting-embedded-devices-zksoftware_2920.html

======
VLM
Unfortunately, this is the high end of security for the future "internet of
things". Everything else will be worse.

Something I wonder about, given network access (over the wifi?) could you
upload a valid unprocessed raw fingerprint using the unvalidated "restore
backup" function to trick the software into logging some valid user's
fingerprint was present, gaining access to the facility?

Also I note the complete lack of other biometrics, so a photocopy of any of
the recorded "fingers" taped to my finger would seem to validate me.

I would imagine that messing with the machine could be logged, but luckily it
appears pretty easy to overwrite local logs with this machine.

Its highly unusual to find a biometric device that is not on a Hollywood set
that is not snake oil. It would have been surprising if this device had been
legit.

~~~
palkeo
> Something I wonder about, given network access (over the wifi?) could you
> upload a valid unprocessed raw fingerprint using the unvalidated "restore
> backup" function to trick the software into logging some valid user's
> fingerprint was present, gaining access to the facility?

On the admin interface (that's not protected by a password, as we have shown),
there is a link « open door », so all this is unnecessary, you can just open
the door by a simple HTTP request.

> I would imagine that messing with the machine could be logged, but luckily
> it appears pretty easy to overwrite local logs with this machine.

Nope, the « normal » accesses are logged, but for the web interface and
everything, there isn't any log.

