Banknotes Misproduction security & biometric weakness

Editorial_Staff_Team's picture

Banknotes Misproduction security & biometric weakness

In the last months vulnerability lab team reviewed the new 20€ & 50€ banknotes of the european central bank. One of our core team researchers identified that for the security sign of the holograms are different components in usage. The security signs are build by the European Central Bank with several high profile elements in the signs to ensure, that the banknotes has a serious level of protection again fraud or fake money. After processing some time to identify an impact, we were finally able to identify the following security problematic.

We discovered an anomaly in the hologram section of the new printed 20€ & 50€ banknotes. The security sign on the banknotes are produced with a transparent film. In the middle of the new hologram of the 20 & 50€ banknotes is a picture of a women and different fingerprint-like structures. At the moment we noted the problem, we used a microscope to look closer.

After an internal discussion, that the security sign could maybe used for biometrics authentication processes, we tested the hologram for usage on different fingerprinter-scanners like asus pro laptop, eikon, samsung galaxy S7/8 and the apple iphone v11. All mechanisms could be bypassed using the hologram of the banknotes to fake a fingerprint which is accepted by the fingerprint-scanner system. After that, the attacker is able to relogin with the universal hologram.

Finally, we were able to bypass the the biometric identification process of the different devices. No system is able to identify, that the hologram is not a real fingerprint. At the end, we figured out in the testing process that the holograms can be used to add via write and auth via read. There are now muliple problems in connection to the security issue.

1. Fingerprint - Reader & Writer (Mobile Devices)

The end user devices like phones with fingerprinter sensors of manufacturers like samsung, apple, huawei & co are permanently vulnerable to this new type of attack. The sensor does not approve the reflection of the hologram in the read and write mode. It interprets the security signs as features of a real fingerprint. Thus results in an easy bypass using any 20€ or 50€ banknotes after registration. To use an attacker only requires to use his finger behind the hologram to bypass the fingerpulse check of the idevice. All other mechanism are not accurate approving the content during the sensor check.
 
2. Biometric Security in Europe
Each time the EZB produces more of the affected banknotes, the biometric security in all over europe countries is generally weakened. In the near future the EZB plans to inetrgate the holograms to any banknote (5€, 10€, 100€ & Co.). This would be a crazy incident for all biometric systems using a fingertip to authenticate because of any person is by now able to perform those typ of attacks against an environment or service.
 
3. Fake fingerprints to go
Any person that has access to a system could use a hologram of a european banknote to fake his fingerprint. Even the once which do not have the expertise to fake it because in case of a publication, the government would have to reckon with it.
 
4. Universal fingerprint as key
One time a hologram is written to a database, any attacker could use another hologram of the same banknote series to bypass the security mechanism to finally get access to the environment. Also administrators or moderators are able to setup a universal fingerprint key to any dbms for further entrance.
 
5. Save content in biometric signs or read data
The problematic could be used by security agencies to save data in the biometric sign or to use them to get access to protected environments. An agent could for example save data variables in the biometric sign of the banknote to exfiltrate information.
 
6. Information in the hologram
In the special case of a fingerprint entry is generated by mathematical variables with plain information, the content can be saved as plain-text information to extract the binary information. The binary information of the hologram fingerprint can then be decyphered by using different unknown one-time pad keys. So the data of the fingerprint is translated to binary code with a fingerprint device (open source) in plain-text. The plain-text is then used to identify chiffre inside the security sign hologram.

7. Save your Privacy

At that point people can as well use the hologram to authenticate for a system or to a mobile device. In case of a user do not want to save his personal fingerprint to any untrusted device. Then they can by now use the hologram to save a fingerprint to authenticate the full anonym way.

8. Bypassing the biometric security with the help of banknotes

Spread Exposition Exploitation Detection
LOW MODERATE MODERATE EASY
 
Problem Description & Causes
Reference 1 has proved the biometric security of European bills for counterfeiting a fingerprint in a PoC.
 
Possible threat scenarios
1. Avoiding person-related biometric backup in mobile devices, such as the Apple iPhone, u.v.m.
2. If necessary Falsification of the biometric identifiers of identity documents. Fake ID documents can be sold on the black market with a one time registered fingerprint. The number of copies and persons is irrelevant.
 
Countermeasures:
1. Generate Awareness among Manufacturers and Users of Smart Meter Biometrics.
2. Educate data feeders so that fingers are free of foreign matter (e.g., glue, or the like) and checked.
3. Organizational measures

a) Review of existing biometric profiles on devices
b) Modify process of identification of biometrics
c) Check the biometric data for duplications in IT systems and databases
 
The following video demonstrates the impact of the anomaly with iphone, samsung, asus, lenovo &  android.

Please, feel free to continue to read the full documentation of the anomaly issue that affects the fingerprinter devices.
 
The problematic was reported to the bsi and cert of the german government in october 2017.
 
Rate this article: 
Average: 3.6 (5 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.