Hacking Finger Print Readers

Breaking GSA Certified Finger Print readers model FUTRONIC Finger Print Scanner  model: FS88

 

Avilable to purchase from the following location:

https://www.bayometric.com/futronic-fs88-fips201piv-usb-2-0-fingerprint-scanner/

So as anyone knows who deals with any form of biometric systems, Finger Prints are one of the most unique Identifiers of a subject that can be found. 

You don’t even need to be a Forensics Specialist to know this, its spammed all over the internet, TV, and Movies, showing detectives lifting fingerprints from surfaces to identify the subject they are searching, haven’t seen this… I’m surprised go watch CSI Miami, you will thank me later for that one

I have always been interested in getting my hands on a fingerprint reader for my room door. How many times have you gone out and lost those pesky little keys?… hands…. anyone, dont be ashamed il wait….. yeah I see you… I have to buddy.

Unfortunately, that solution you were looking for to replace the keys with the one thing you can lose, so you may need to stick to them for a while longer.

While searching for fingerprint readers, I had this crazy idea. Who better to trust when it comes to the security of locations and files then the people who try to protect them the most, YES, Speak easiest during prohibition. As you are now thinking, yeah the first issue appeared, Biometric systems were not exactly a thing back during the prohibition. So who next, well to answer that we think of these who want to protect all they can, the Government.

I know I dont need government-level technology for my extensive and impressive collection of conference lanyards, but why not take a look. So after some quick Google Dorking and searching, I  quickly came across the Futronic FS88 fingerprint reader, that was officially FBI tested to standards and compliance for use by the US Government.

yeah, that sounds good. But I wanted to make sure that my lanyards are secure from those pesky gremlins who constantly steal one of my socks, So I went digging even deeper to see what I can find. After some more searching and Dorking, I came across a guide from the Futronic company that had detailed information and usage. This can be seen on the right of this text.

This is tested by the FBI to have Live Finger Detection that will Reject Fake Fingers made from Silicone rubber, Play-doh. In other words, if you clone my fingerprint this is going to know its fake and kick you off. It does this by looking for the natural electrical charge that is released from the human body when the finger is placed on the surface of the reader, its a small charge but it is enough to let the system know you’re a living human.

Of course, this is cool and does what I want… BUT … Im a hacker, I like to break things. Why? well because I can, this is a guide on how I went about doing this.

In case you can’t read the photo, there is a link to the informational pdf bellow

https://www.futronic-tech.com/download/FS88_brochure.pdf

So for testing, I had to get my hands on one of these readers to play with it and see what I could do. I was lucky as I had access to a Biometric Forensic Laboratory that had access to these types of readers and Even the reader I wanted to use for this experiment.

I know not everyone is lucky to have the ability to get their hands on a Biometric Forensics Lab equipment or even get into one of these rooms. But, in reality, you really dont need access to this any of this. It can be done standing in the hallway, in darkness, while guards are patroling around. 

If you want to get one of these readers after reading this report to play with you can easily find them in multiple locations such as U.S. Government Liquidations or on eBay, Amazon. They are cheap a brand new one will run about $80 USD with shipping from eBay.

For clarity when it comes to the experimentation. I am going to be transparent in everything used for the experiment. This experiment was conducted in a 100% Laboratory environment without outside interactions or changes over a 3 hour period.

The software that was used is a standard software used by many agencies called MegaMatcher SDK package, for the experiment the full trial was used with full features avilable, this software is available from Neurotechnology.com,

The reader used was the one Discussed above and had light usage in the laboratory and was in full working condition. The experiment software was all conducted on an HP Envy Touchsmart Laptop running Windows 10 64bit with the latest drivers and software up to date, using the default drivers for the reader from Neurotechnology.

Here is an example of a fingerprint verification on the Megamatcher SDK. I did not take a Higher Quality image at the original time of investigation so I used this example image to show the layout and function of how this tool maps out the fingerprint and breaks it down using a calculation.

As you can see the interface is simplistic and easy to use, the device is attached via USB 2.0 and automatically recognized by the software when the drivers are configured.

For the purpose of the experiment, I enrolled multiple fingers into the system to best test the fingerprint. The first testing was done using the real fingers to make sure the system was working. Once this was confirmed to be working then all other testings that was done after was using different methods to bypass the security

The next attempt was to develop a mold from the Subject’s fingerprint impression to test the liveness detection of the device.  

There were multiple molds taken, made out of both clay and play-doh. The clay had multiple issues in the smoothness of the imprint. Whereas with the play-doh the fingerprint was almost perfectly visible and would work best for the testing. There were multiple different imprints taken of my thumb from different angles on each piece of play-doh to get the post possible sample.

The preparation of the molds involved rolling up the doh into balls. Then using a rolling pin to flatten them out smooth, ready for a smooth imprint from a finger, this was done on a flat surface to protect the mold from damage or changing from accidental bumps, touches, or uneven surfaces.

Here you can see the imprint of the fingerprint before any filler or latex was added, you can see the quality of the fingerprint around the edges, of course, the main print was removed for the safety of the subject.

The mold was used for imprinting before the play-doh started to go semi-hard from the exposure to room heat and air, the edges were rolled up as can be seen in the photo this is to allow for any overspill to be kept in the mold as needed.

For the filling of the mold, there were 3 different types of substances used, these included some of the following 

  • Generic B&Q brand Wood Glue,
  • Splashes & Spill’s – Liquid Latex
  • Loctite Clear Silicone Sealant

These substances were felt to be the best substances for the purposes of the experiment, as they were readily available in many locations, for examples discount stores such as Dollar Tree or Pound Land. Meaning if an attacker was to do an attack like this, it would take one trip to a simple Art and Hobby store, a 5-minute search and get out and be ready to preform an attack. 

 


It was found that the drying process for this was extremely slow, as the room temperature was not warm info the latex was one of the first to dry the wood glue was followed up, and falling far behind there was sealant glue.

To speed up this process a common hair dryer was used as a medium level heat to try to preserve the molds as much as possible and prevent any form of cracking in the molds.

In an ideal environment with a long time available in the lab, these should have been left for a period of time to let dry slowly. But it was decided to speed up this process as the time allotted to lavatory location was not as long as originally hoped

After the imprint was felt to have been dried enough they where removed from the mold and checked.

It was already clear very soon after removal from the molds that the liquid latex print was the highest quality print. The clay and glue sealer imprint fell apartment on removal from the mold, leaving the only available type of imprint for testing was two latex molds.

One of these imprints was not clear due to the way in which the print was taken

In an attempted to improve the imprint and find a usable section fo the fingerprints, black ink was used to try exposes the ridges. This can be seen on the left.

The imprint was then tested by being placed on paper and only a partial fingerprint was readable. Unfortunately testing with this print was unable to bypass the system due to the lack of data points available on the print.

It was still decided to continuing testing with this imprint, as can be seen in the image bellow this was a complete failure and was next to un-readable by the device against the database. The software was unable to even get any data points from the print as needed.

Testing the fingerprint against the subject’s pre-enrolled fingerprint of the same finger, was found and was verified by the system. but this was with a low score, but it was still verified by the system.

This meant that the system security features original stated in the release documentation and the sales description in the release of this hardware… wait for it…… waaaaaaiiiiiittttt for it… liveness detection was bypassed successfully cool

To the right, you can see the success of the fingerprint being recognized by the system “data blurred for PERSEC” of the cloned fingerprint against the pre-enrolled user. 

To confirm this result I asked multiple people to use this use the imprint on the reader and all were able to be verified successfully, out of the 10 recorded attempts only one was a failure, and this failure was because the reader would not recognize a partial fingerprint “Only half of imprint on the reader”

So I would class this as a successful and completed experiment. As I am a stickler when it comes to this, I got my hands on multiple other readers available to the lab. The system was successfully bypassed on multiple different devices, ruling out damages to the original device.

In conclusion:
This was a successful experiment in the sense that the security features where bypassed. As for sophistication for an attack to do this, I would say minimal, it was beyond easy to mold and clone a fingerprint.

The only difficult task would be to get a hold of a usable fingerprint, although there is current research that has shown some strong promises in the form of 3D printing fingerprints from images.

In theory, you could use a 3D printed fingerprint from an image, and just repeat the process showed here and you would have a usable fake fingerprint, one good example of this being demonstrated on MrRobot the TV show found at the following link:

MrRobot Video

This would only be successful with a high-detailed printer, this is not that far off for the average 3D printer owner to be able to do, with the increase in the ability of this technology daily

The Fix… well… mmm… I dont know… I just brake things

The liveness detection works on the natural charge from the human body being recognized by the device. With the thin layer of latex this was bypassed allowing the transition of the attacker’s natural charge to the device, but reading the faked fingerprint.

On the left is the completion of identification of the fingerprint on the pre-enrolled database with a score of 128, this photo was taken after the subject’s fingerprint was tested on the system