 Hei ychydig, rwy'n gobeithio ilineg y dyma gyda y cyfnodd o gyffredin, ac bod yn gyffredin ohol y ffordd. Ydych chi'n gobeithio i gyffredin cyfredin ac yn cyfredin cyfredin, a'r cyfredin cyfredin, efallai cyfredin cyffredin, i gyffredin cyffredin, ac ydych chi'n gobeithio i gyffredin cyfredin cyffredin. I'm going to take you through a worked example of a biometric system, one of my favourite ones actually. And then we're going to have a look at common attack that they're all susceptible to. And I'm going to do a quick demo for you as well. So most of you should be aware of the standard access control system. You tend to have access control reader on the outside, it may be biometric. Obviously an electric lock on the door, generally a push-to-exit button on the inside. They all hook back to an access control system, quite simple. Slightly smarter system, the actual access control system may be remote to the door, so it may be talking to a local door controller. And this one is actually configured as what they call an anti-passback system. So basically you have to swipe to get out. They tend to use this with things like turnstiles. So you've got an exit reader, an entry reader, so people know that you're actually out the area. So we have, as you're all aware of, the MagStrike card. Everyone's got one in their pocket right now. The Wigan card, which we'll go into a little bit later. Proximity cards, again, most of you probably actually own one of these. The Barium ferrite card, which you probably don't. You might have done like 10, 15 years ago. The concealed barcode card, which I hope you don't own. And contactless smart cards. So I am going to go through this stuff quite fast, because it's just to give you a brief overview of how this stuff works. So the concealed barcode card. It is, as crappy as it sounds. Basically it looks somewhat similar to a MagStrike card. You've got a black bit that goes right to the bottom of the card. And that's IR transparent. And in the middle of that you've got a barcode. So basically with a torch and a photocopier you've got it owned. It is just fucking embarrassing. If you see someone with one of these, I want you to shoot them. MagStrike cards. So we're all familiar with them. Normally they've got about three tracks. Some manufacturer is going to mess around with the standard track configuration. We've got two different strengths of cards. Basically high co-assivity cards. Quite a lot of drivers licenses are high co-cards. And local, they were the original kind of bank MagStrike cards. Quite easily erasable. Your hotel key will almost certainly be a local card. So the standards generally have three tracks at different bit densities. They're read by an exposed read head in the reader, which makes them a little bit vulnerable. And when someone sells you a high security barcode system, sorry barcode, MagStrike system, it can be as simple as they adjust the offset on the heads so the tracks aren't where your reader writer thinks they are. Or they can screw around with the bit padding and things like that. So generally they're trying to protect something that's inherently not really protectable. They talk I think all clock and data. So you've got the clock signal on top and it just clocks out the data bits on the data line at the bottom. That's what it actually looks like in real life. This is actually, I have to add a very, very small part of my Visa card. Okay, moving right along. Bariumferite cards, these were the original card keys. They tend to use the insertion reader, but more modern ones I've seen have a, you place the card flat on the reader. And basically if you were to take a card, sprinkle iron filings over it on a sheet of paper, you'd see these discrete little magnetic domains. And that's how the cards are encoded. So if you break them open, tends to look very much like a fridge magnet inside. And as I mentioned earlier, it was the original card key, the Wigan card. Now this is where you've got to start paying attention. Wigan cards have a special alloy wire and basically it exhibits what's known as the Wigan defect. And as you see, the wire is embedded in the card in a distinct pattern. In fact two rows, we have a row of ones and we have a row of zeros on the bottom. And that's a simple bit pattern. When you swipe it through the reader, there's a set of one readers and a set of zero readers and it just lifts the code straight off the card. That's what one looks like and if you actually hold it up to a bright light you can actually see the discrete wires embedded in the card. And again, this arrangement's important because you'll be able to see what it actually looks like when we talk about the electrical protocol and it looks stunningly similar. The Wigan defect, basically they thought this was so secure because the wire is really, really hard to manufacture. It's coaxial and the centre is in tension and the outsides in compression. It's all very wacky stuff. But the bottom line is you wave your bit of Wigan wire past a magnet polarised in one direction and it kind of stores charge. When you wave it past the charged wire past an oppositely polarised magnet it kind of dumps the spagnetic flux which, with a small read head, like a magnetic read head for a swipe reader, you can pick up this tiny little pulse. Now that was how the card worked on the Wigan defect. Coming out of a Wigan reader you've got this thing called the Wigan electrical protocol and this is the thing that we're going to look at a lot later on. So basically you've got three wires. You've got a one wire, a zero wire and a ground. Here we can see the code that's being transmitted down this line at the moment is 1001011. It's that simple. The timing can be quite flexible but generally with a particular reader I'm looking at here in this demo it's a dip of about 40 microseconds with about a two millisecond gap in between pulses. As you can see if you actually look at it on a logic analyser it looks remarkably similar to the actual coding on the card. The logic analyser trace here isn't actually of this card code but when you put them side to side it's very easy to work out what's going on. So once we get the code out the card through the reader and down the wire this is how things are actually broken up. The standard Waigan format is 26 bits. So the basic Waigan system is a 26 bit system. They're all over the place. 26 bit is considered a universal format and I'll go into a little bit about that later. But basically what you have is 26 bits. The first bit and the last bit are parity bits and then the 24 bits in the middle are chopped into a site code and a card code. So generally when you go to your vendor and say I want a whole bunch of cards they'll say what site code you say oh I'll have site code 102 and I want cards 1 to 100. Proximity cards, again we've all got them around. They're passive. So basically what's happening here is the reader is actually emitting a magnetic field an RF field and it magnetically couples to the card and as soon as the card gets activated it literally just bars data back. There's no authentication between the card and the reader. As soon as the card's energised it starts transmitting its code. There are active cards and they tend to have a slightly longer read range and they emit their own field to the reader. Now when you hold your proximity card up to the light you think that basically it's like one of these store anti-theft tanks where you've got just a single foil antenna. What you actually have is about a bazillion turns of the finest wire you will ever possibly imagine. And this is what happens when you take a proximity card and dip it in chloroform and dissolve the plastic. Now I hasten to say I didn't do this but it works quite well. You're killing puppies apparently. OK. So don't get proximity cards and RFID confused. Proximity cards are magnetically coupled. It's the same with your new biometric passports. They have a coil of wire inside and they need to be quite close to the reader to actually get energised and transmit. Whereas true RFID tags can get hit from a distance and basically they're true little radio transceivers. You power them up on one frequency and they transmit their code back on a second frequency. Generally it tends to be a fraction of the energising frequency. And with RFID tags you can read them from a decent distance away. So proximity cards. They barf back a single bit stream when they're energised. They're all Manchester encoded generally and in order to get the data from the card to the reader that 26 bits that get sent along the Wigan's electrical protocol line the card is sending back about 506 bits super padded out with error correction. So your 26 bits going down the wire from the reader the card is transmitting about 506 to actually get those there. Now when the manufacturers say hey I've got this really high security Proxcard high security just means they've added a few more bits or they've changed the bit length so they're not quite standard but they still get transmitted down the wire in the same manner. Another way they do it is they say right for a mere X million dollars or whatever they decide to charge that day they restrict site codes so someone may come up and say right I now have this new 64 bit format and I'm only going to sell you your own site code Mr Microsoft or Mr Intel or whoever and basically they get a site code that the manufacturer will only issue to them it's like having do not duplicate keys in general if you buy a stock system off the shelf they'll be using 26 bits. Contactless smart cards not proximity cards but they do tend to use the same magnetic coupling they're a higher frequency because they're a little bit smarter but in my humble opinion it's the way to go they're quite smart they can do strong crypto they authenticate between the card and the reader so the card's not just barfing its secrets back and generally reasonably secure that Philips my fair system is used for stored payments the London Underground implemented one called the oyster card just recently using my fair which would have been immensely secure had the key not been the same key as the programming example in the manual so it's sad but true however one would hope people learn from shit like that ok so on to biometrics retina scanners the old iris scan which they're now implementing at quite a few airports a new one for me which is venial hands and finger maps hand geometry a perennial favourite and the old fingerprint scanners well basically a simple image capture and compare and you'll come across that again and again with biometric devices fingerprint scanners tend to use two technologies two main technologies optical which you all seen glass platon you put your finger on and the kind of gold platon which actually uses capacitance to create the image and that's exactly what it does it creates a single image of your fingerprint everyone by now has seen the mythbusters episode gummy bears like photocopies which is the saddest thing ever and it's like why bother making a silicon fingertip when you can lick a photocopy so generally the way these systems work is you've got your image and as you can see here there are certain fingerprint features and a standard forensic analyst would look for things like enclosures bifurcations where the ridge splits little islands and when the ridge actually ends and they use that to create a map now here's the thing and here's the scary thing about fingerprints and a lot biometrics you've got an image and from that point onwards it's just image processing so when you buy that fingerprint scanner you've got to think who was the programmer that actually created the algorithm given a picture of a fingerprint and someone had to sit down and create an algorithm to identify that fingerprint how much do you trust them hand geometry scanners a bit of a fave but it's super easy to use however in general this is highly embarrassing a lot of people's hands are actually the same or very similar so when I was showing my next door neighbour who now has a set of keys to my house how to get into some of the more secure areas I enrolled him with a hand geometry scanner and as we were kind of proving I'm like typing in his code and he's putting his hand in, that's great then I accidentally type in my code and he puts his hand in and it opens the door so they're coming out soon basically but in general again it's another image one of the problems inherent with biometrics is that your image squared away so here there are little pegs that the user lines his hands up again and there's a whole set of little LEDs on the top of the reader that go out when your finger's in the right position you put your hand in, you close your fingers up against the pegs takes a snapshot and then analyses it and actually with this I thought it was quite a cool hack some guy realised that just this side of the reader there was space there's a camera up here taking the picture down there was enough space to put in a 45 degree angle the angled mirror so at that point you now get this image which is across the side of the hand so there's a little reflective surface here and that must have made them jump for joy because they then released this which is the hand scanner 3D so a new one that I haven't actually played with yet is the venal hand scan this uses an infrared camera it's another image capture as I said they all are and you can see with this set of three images here's the hand here's the hand in IR and when you process it and take the hand away this is what you get the actual map of the veins which are analysed just like the fingerprint to create the actual identifying map now I actually enrolled with this coming back into the UK or going out from the UK you get now to enrol in their iris scan program and I thought great I'll have a go again it's just an image if you've got high-res camera some potential problems with snatching things as people glance by and one of the problems with it I noticed was the first time I used it my passport had expired and I thought yeah I'll give it a go anyway ding lets me in I'm like ok so one of two things have happened either it hasn't identified me as me or they haven't put in the fact that my passport expired like six months after I enrolled one of the problems with this is you should use biometrics to verify the identity of someone you should not use them to identify people so what they should have done is had me scan my passport and then scan my iris at that point I know they're comparing it with my template they know I'm me or they're comparing me with the template I enrolled with when you start to take something and just say oh right this matches you didn't even say welcome back Mr Franken I could have been anyone my absolute favourite I own three of these also known from Uncle Ira as the rectal scanner that is actually a big brown stick fixed to the wall but we'll go into that right now ok it's one of the things that's most secure as a credential it's very hard to steal the only problem is not very easy to use you absolutely have to be trained how to use these things and it needs practice you can't use them with glasses but take your glasses off every time you use it manufacturer went bust ok so I'm going to use this and take you through a bit of a worked example just to show you how biometric systems tend to work so first of all user enters a code on the reader this is a good thing so we're matching me with my template and then a visual dot and a little target and then a eyepiece if you ever use one before you look in the eyepiece make sure you've got your finger on the scan button because you're going to need to press it so you look into your eyepiece and literally you shuffle your head around to the dot is in the centre of the target and then you hit the scan button and then you hold still because it takes about a second if you wobble a bit the initial ones used to have a head bar that you rested your head on weren't popular with users it's like I don't want his cooties so they all have a variance factor to handle this my head wasn't in the right place my finger wasn't quite centred correctly so no two reads are ever going to be identical if they ever are it's a miracle it's like a 1000 so you need a bit of fudge in all of these devices so here's the retina it is not mine and here's the target as it looks lined up and imagine this being projected onto the back of the retina I hit the scan button and the scanner which actually a retina scanner has lots of little whizzy spinning mirrors like proper old school tech the scanner activates and it literally looks at a circle around your eye it scans that circle and then it goes to process it so basically effectively it straightens it out and deals with it like it's almost a barcode as it moves around it says ok at 46 degrees I've got a black splodge and another one at 88 163, 179 and this generally creates your template surprisingly enough on the original ones templates exactly 360 bits long now it as it says here it did change on later models but it shows you how the implementers of these things think here you've got your retina scan how you're actually going to deal with it my fav, coolest fuck problems are alignment so it's totally subjective so remember a couple of slides back when I showed the target in the centre of the retina well that is where I perceive the centre of my vision to be it may not physically be the centre of my retina so it's almost like having a brain print with the retina scan because where it's projected on the back of the retina as I grew up the nerves as they developed said this is the centre of your retina it may not physically be the centre but that's where I perceive it to be you've still got a bit of a fudge factor so there's still a bit of leeway allowed and your ID generally tends up to be a hash which is not always fantastic so in biometric systems there's two key statistical things basically you've got your false acceptance rate how many times are your users going to get bounced when they try and scan their way into the building and then there's the false sorry, I've got them the other way around the false reject rate how many valid people do I kick out because the scan was bad and then there's the false acceptance rate which especially for the military people they really don't want to be high at all is how many bad guys actually got in because it misidentified their scan you've got to tie it with a user ID it's really, really, really key okay, we also have another problem with biometrics once I've enrolled my hand or my finger and someone duplicates that how are you going to deal with credential revocation it's a bit of a sticky wicket now this is bad, not quite as bad as so yeah, ouch okay, so with all these systems as I said this was just a background to what I'm actually going to talk about there is a bit of a common problem so backwards compatibility, not always great going back to Wigan when they came out everyone wanted Wigan cards so all the access control manufacturers implemented the Wigan electrical protocol so they could interface with Wigan readers and they still do so everything we've talked about today from the crappy barcode reader to my fav retina scanner talks Wiganed out its back end to the access control system to say yeah, this guy is actually allowed it's plain text it's easily intercepted it's easily replayed it includes the biometric readers and it also includes output from strong crypto readers so basically you've got your card it's doing a strong crypto handshake with the reader great and then the reader goes oh, access control system, have everything in Wiganed so I decided to come up with a device that would record Wiganed IDs replay them back it needs to be small because we're going to have to physically access the wiring make it easily installable and cheap would be good that raised certain problems how do we actually control it once it's installed in the wall behind a reader and also how do I work out when the card reads are actually good reads and I quite like to get the data out every once in a while so how am I going to do that now I'm drying up so I'm going to get a glass of water and this is where I spill the water over my laptop and end the presentation okay, so generally these readers this is a classic example of how a reader is connected you've got positive and negative to power the reader up you've got an LED line that comes from the access control system to say yep, they're allowed and you've got your data 1 and data 0 Wiganed data lines coming from the reader say hello to Gecko it uses command cards to control the functions it uses the access allowed LED to make sure we've got the card right and it also uses the access allowed LED to download data out of the reader that's my fave so once you insert it into the system you see it actually intercepts the LED lines and the data lines to and from the system now Maggie can I just grab your sec can you hand one of these to each of the three banks and just have them hand them around and hand them back right, so if you just pass these around pass these along and eventually they'll get to the back of the room and then someone will steal them they are empty however so your shit out of luck you just scored a bit of plastic so this little device has two quick connects on either side these guys here so you just literally cut the wires poke them into the quick connects and just crimp down and it's in so I'm going to give you a little demo it's a demo so it's not going to fucking work but if it does I'm going to take all the credit for it okay so here we have can everyone see this from that corner so here we have a simple access control reader and remember don't focus on the reader because the reader isn't the problem the YGAN protocol is the problem and this is talking to a tiny tiny access control system which happens to know about two cards so I'm going to power it off and can I have Maggie and Helen there you go that was good it's going to be a lot of RF flying in here and this particular demo isn't shielded so here are our valid users Maggie and Helen say hello and here we have our bad user okay so Maggie would you like to swipe for us would you like Maggie, Helen can we move the volume up a little bit and we have our bad user okay nah you're not getting in okay and we also have our three mystery cards we have card A denied card B denied and card C denied okay so what we're going to do now is I have the same thing you're looking at except it's already in a little harness so I can plug it in without fucking around always gets the first one wrong c'mon sorry it's just a little sound board needs to initialise okay so now we have we're back in we've pling this off as I said two screws and a plastic cover it's not hard you pop the cover off install gecko screw it all back onto the wall it is your knife I borrowed it okay now you made me forget where the fuck I was you bastard you may be getting your knife back very shortly okay so gecko's now installed can we try with our bad user nah he's still fucked off Helen you like Helen Maggie mystery card A card says replay so now basically it will replay back valid users this particular unit won't because I'm not trapping the LED but it's just an old demo unit so everyone can get in normally now so can I mystery card number B you know it's working fine Helen bad user Maggie hey I can still get in card says disable and oh I guess I'll let you guys back card number C or card C bad user and of course I can still get in so so there's a whole bunch of other stuff you can do as well now this is in place let's see actually you guys can sit down we're good thank you thank my helpers please sorry and thank your bad user Steve so this is version one the proof of concept it has a very basic feature set it records it replays and it can disable users oh and it can enable them as well version two which I'm currently working on and I didn't have my demo version ready for you it can store multiple IDs and it writes them back to the flash in the chip we monitor the reader line so we know that we actually got we were actually capturing good cards download via reader LED so basically there are other systems that allow you to emulate emulate these cards and actually by presenting something to a reader so this would enable me to actually install one of these guys at the reader smoker's corner every office building has one and just record everything going in and out of that door then dump the data out because I have to have a dump card so hold my reader device against the LED swipe my dump card dump out the data to the reader the reader is just another little picture I can load data back into the to gecko via command cards slightly comical I have my program card and I have my one in my zero cards so program one zero zero zero one one end program so version three now this is all good for swipe or proximity card readers but I don't have a whole bunch of retinas or irises to present to a biometric reader so version three is bluetooth controllable it's perfect for biometric devices so once it's in the wall access via bluetooth can download and upload from it and then there's version four now version three slightly larger because of the bluetooth slightly physically larger because of the bluetooth interface in fact what's in those devices make sure you're still passing them back because the guys at the back aren't going to get it to the end of the talk basically the biggest problem here is physical the size of the physical connectors everything else can be reduced to surface amount and made real small there's actually a dual in line chip and socket in those so as you can see it's not actually filling out the size of the device so the bluetooth one is slightly larger and then there's version four GSM because that little guy there actually believe it or not is not only a fully functional GSM phone that one happens to have GPS in it as well and it's slightly bigger than that quarter and it's programmable in Python and they're 50 box each it's like yes so I've been absolutely sprinting through this because I thought I'd quite a lot and the earlier stuff I really went fast on so basically that's it pretty much it in a nutshell I'd like to say thanks to Vinnie Mann who made my demo stand and thanks to Major Malfunction who's somewhere here for keeping me sane when I was doing my PCB design and basically any questions especially if you didn't get any of the earlier stuff because I know I've got a bit of a Scottish accent and I probably went a bit fast so questions from the floor the hand biometric ones tend to use their own network to talk between themselves and exchange templates but they don't they use Wigan to talk back so that's where you'd use the Bluetooth model ah, tamper switches and readers you'd be surprised how many readers don't have tamper switches because this one doesn't and I haven't actually come across one that has so there are a few out there but it's a bit of an issue I I'm using pictures so about, well hey, I need something easy a couple of bucks for the actual units but yeah, not hard it's actually quite easy and this can be inserted this can be inserted at any point in the cabling system for example if you look at the wind tower across the road they've probably done their first fix electrical already on some of the stuff on the ground floor so the cabling is in there they're waiting for people to pop readers on the doors so this could already be installed stuffed up a conduit just waiting for the sparkies to put the readers on and hook them up at the other end sorry, say that again please okay the question was what about boards that have controllers built into the readers well they're the most vulnerable things ever because if you defeat the tamper switch on that you've got access to everything because all the data quite often is stored on the actual device so not great and actually the biometric device is the retina scanner holds all its templates in the actual scanner on the wall it gets pushed out from a central scanner, normally you say you're the master it pushes out the templates to all the other scanners over its own network but it uses YGAND to talk back and if you have a standalone version quite often the standalone versions rely on you not having an access control system and most of them most of those biometric devices have contacts inside for standalone use so if you defeat the tamper and get it off the wall you can just hit the tamper switch and you're all set sorry hit the access control contacts and you're good to go will I be releasing the design it's not hard to do so I'm probably going to shy away from that because there's no immediate easy fix for this I mean YGAND is very widely used and apart from installing tamper switches on your readers which again is not particularly fantastic it's a bit of a tough thing we're talking about replacing readers it's old technology it's been widely adopted so it's going to be a real problem the question was does it do pin numbers as well there's quite a lot of YGAND pin number readers so you can actually enter your pin number on the pad and it actually transmits YGAND back so yes if it's a YGAND pin pad there's a lot of really cheap ones around that aren't that don't talk YGAND but if you're actually interfacing a pin pad with a proper access control system it'll use YGAND most likely the question was is it possible to mount one beneath the cover well actually beneath this cover there's actually quite a lot of space and I don't know if you can see this it's all covered in epoxy compound all the cables come through the back so it would involve a bit of a solder job but yes it's perfectly possible with this style or a particular style of reader the power straight from the reader power I mean 12 volts it's there for me to use so I may as well use it well that's where your kind of fudge factor comes in so basically with all these biometric systems there is a kind of variance factor so basically you tend to set them okay if you say any scan can have a 10% variance which is actually quite tight or you know you can make it bigger and bigger and bigger I don't know exactly how they're doing it in the case of the retina scanner excellent alright thank you very much guys