Fingerprint scanners are essential elements of the physical access control systems of many organisations. Yet, they combine a unique set of potential vulnerabilities: they have to be located outside of the security perimeter, they are IoT devices with all IoT properties – no upgrades, legacy software, lack of support, they often have to be compatible with legacy insecure protocols and integrated with legacy systems.
In this talk we will explore security of access control devices, demonstrate some physical-to-virtual attack venues and discuss possibilities to ensure hard-to-detect persistency on the network. Fingerprint scanners are often Linux boxes with software that was not updated for years as vendors do not have incentives to do it. We will demonstrate, how these software vulnerabilities combined with lack of physical protection could lead to device compromise. We will also explain how weaknesses (or lack of) image verification allow for upgrading to a trojaned firmware once the device it compromised.
Further, such trojaned devices may provide access to organisation’s internal network. We will also explore other devices in the family demonstrating that this class of vulnerabilities is present across wide set of devices. Finally, we will present our estimations of the existing opportunistic attack surface – based on Shodan and our scans.
