Fingerprint Access Device Flaw Could Make It Easy to Open Doors

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
I want to say that this is shocking, but haven't hackers been bypassing these things for years in the movies? ;)

Fingerprint access controllers made by Chiyu Technology can be managed and configured through a built-in HTTP web server. The problem, according to researcher Maxim Rupp, is that the web server is plagued by a vulnerability that allows an attacker with network access to view and modify the device’s configuration without authentication by directly accessing known paths (CVE-2015-2871).
 
INB4 iOS and iPhone people come to rage.
 
I don't know. But on this forum they're going to see something about a finger print scanner insecure and automatically jump on iPhones.

Its the circle of life.
 
I like how it's really a webserver exploit and the fingerprint hardware isn't even involved.
 
Finger print readers are stupid. Just waiting for ours to get installed at work.I'm already dreading it.
 
Please elaborate on your statement.

Pros I can see:

-No passwords to remember
-No key/key card to carry around
-Never have to change your fingerprint after 30 days
-Never have to worry about leaving your thumb or finger of choice laying around

Cons?
-A sophisticated thief could pick your thumb print off of something...but really this is about the same level of paranoia as someone simply hacking a key card or password.
-You can no longer use the excuse "I don't know my password" or "I left my key at home" to get out of work
 
viscountalpha said:
Finger print readers are stupid. Just waiting for ours to get installed at work.I'm already dreading it.
Click to expand...

Much better than the keypad with swipe card. Swipe your card, enter your pin, choose clockout. Thumb reader updated that process to press thumb, press clockout button
 
OEM said:
Please elaborate on your statement.

Pros I can see:

-No passwords to remember
-No key/key card to carry around
-Never have to change your fingerprint after 30 days
-Never have to worry about leaving your thumb or finger of choice laying around

Cons?
-A sophisticated thief could pick your thumb print off of something...but really this is about the same level of paranoia as someone simply hacking a key card or password.
-You can no longer use the excuse "I don't know my password" or "I left my key at home" to get out of work
Click to expand...
Cons
- Once a fake finger has been created to steal access to your data there is no method to "reset" like with a normal password.
- Burn your finger on a hotplate and you loose access to your device
- Work as a builder, plaster, or any of those manual trades outside with your hands and fingerprints change

A comical one I saw was some reality TV programme where a group of people had been on an island for three weeks. When they returned to "normal life" they were picking up phones to call family. One kiddie had a fancy smartphone with a fingerprint unlock. It didn't work any more. He could not get in. He had lost too much weight, and been outside actually working with his hands, and now his prints had change too much.


The real problem in the original new post is the lazy "build alpha version, test it, ship alpha version in pretty box" Routine method of many cheapo hardware items being produced. Marketing drive the delivery times therefore bypassing all the sensible "expensive" ideas the engineers are talking about like actually making the device secure.

I was involved with door entry systems in the 1990s. We developed a test version for the office. A development idea, so no encryption in place. Just basic network communication in place using a home rolled protocol. All us devs knew how to bypass it, reset it, hide entry\exit, etc. Yet this thing was then suddenly sold to clients without us being able to finish it. Most stunning part of that is that one of the clients was a Bank! Head office and branches were being "secured" with this joke of a product.

Yeah - the original story doesn't surprise me.:rolleyes:
 
BlueMeanie said:
Cons
- Once a fake finger has been created to steal access to your data there is no method to "reset" like with a normal password. But you have 9 other fingers...so...
- Burn your finger on a hotplate and you loose access to your deviceBut you have 9 other fingerse...so...
- Work as a builder, plaster, or any of those manual trades outside with your hands and fingerprints changeYour finger prints don't change. Sure, you get crap on them. But using plaster won't change your finger prints. Sorry.

A comical one I saw was some reality TV programme where a group of people had been on an island for three weeks. When they returned to "normal life" they were picking up phones to call family. One kiddie had a fancy smartphone with a fingerprint unlock. It didn't work any more. He could not get in. He had lost too much weight, and been outside actually working with his hands, and now his prints had change too much.


The real problem in the original new post is the lazy "build alpha version, test it, ship alpha version in pretty box" Routine method of many cheapo hardware items being produced. Marketing drive the delivery times therefore bypassing all the sensible "expensive" ideas the engineers are talking about like actually making the device secure.

I was involved with door entry systems in the 1990s. We developed a test version for the office. A development idea, so no encryption in place. Just basic network communication in place using a home rolled protocol. All us devs knew how to bypass it, reset it, hide entry\exit, etc. Yet this thing was then suddenly sold to clients without us being able to finish it. Most stunning part of that is that one of the clients was a Bank! Head office and branches were being "secured" with this joke of a product.

Yeah - the original story doesn't surprise me.:rolleyes:
Click to expand...

See above.
 
Also older people often have trouble with finger print scanners as they don't have much finger print left (though maybe software/better hardware might help) also some diseases can cause a person's finger prints to change/fade. The convenience is nice but you should be able to over-ride it with a good secure password.
 
OEM said:
I don't know. But on this forum they're going to see something about a finger print scanner insecure and automatically jump on iPhones.

Its the circle of life.
Click to expand...

Its a fundamental problem with bio metrics. A fingerprint is just a long password that you can never change, you can improve security with proprietary hardware hashing but someone will eventually reverse engineer it or find points to jump in to bypass it.

The fact that Apple chose the bio-metrics route is on them.
 
BlueMeanie said:
A comical one I saw was some reality TV programme where a group of people had been on an island for three weeks. When they returned to "normal life" they were picking up phones to call family. One kiddie had a fancy smartphone with a fingerprint unlock. It didn't work any more. He could not get in. He had lost too much weight, and been outside actually working with his hands, and now his prints had change too much.
Click to expand...

Reality shows are anything but reality. iphones, for instance, revert to requesting the standard password after 4 fingerprint scanner failures -- which happens often if you get your hands wet.
 
DocSavage said:
Reality shows are anything but reality. iphones, for instance, revert to requesting the standard password after 4 fingerprint scanner failures -- which happens often if you get your hands wet.
Click to expand...

I hate that! I mean I don't but it does annoy me at times. I guess if it was more forgiving then it would just almost let anyone in my phone. The key requirement also happens at each reboot of the phone.
 
You must log in or register to reply here.
Back
Top