Capacitive fingerprint readers - security

[luckycheese]

Hello,

I had an idea to use a capacitive fingerprint reader/sensor in one of my projects, so I did a little reasearch on them. The number of readers available for hobbyists seems to be quite limited and seems to be well represented by the waveshare offer: https://www.waveshare.com/product/uart-fingerprint-sensor-d.htm

So, as I see it, the biggest reason of using a sensor like that is to prevent unwanted physical access. In that case, how does it make any sense that those sensors have no protection mechanisms for the MCU <-> sensor communication?

How they work is that first you configure them with your fingerprint(s) and then, when you touch the reader, it will notify the MCU that there is a fingerprint and it will send the index of the stored fingerprint (0 if there was no match). So the only thing that you need to do, to unlock the device, is:

• remove the fingerprint sensor
• connect to the MCU via UART that the sensor was using
• notify the MCU that there is a fingerprint ready
• respond to the MCU saying that the fingerprint was one of the valid ones

... and bam you've just unlocked the device!

Some of them give you an ability to set a password, but the only benefit to do so, is that it might slow someone down when trying to get your fingerprint data from the sensor itself (slow down, because you can still brute force the password once you have access to the sensor). It doesn't really do anything for the comms between MCU and if you want to get that password, you can simply evesdrop it before disconnecting the sensor from the MCU, since it's transmitted in plain text.

So am I missing something here? What's the point of using them? Is it only for projects that can guarantee (if such a feat was even possible) that the sensor cannot be disconnected from the rest of the device?


I should mention, that there is always an option to use a raw fingerprint sensor (e.g. FPC1020), but then you need to write the storing/matching algorithm yourself and I don't think that worth the time investment (especially with the seemingly limited number of resources on the subject).

And if you want to comment that once an attacker has physical access to the device you're doomed anyway then yeah sure. But we shouldn't make it easier for them. Decapping a chip, injecting faults or doing power analysis is much more work than evesdropping on an UART line and once you do that you have a fully unlocked device. Just like that.

Ok <rant off>. Comments welcome 

[kripton2035]

I'm also searching for such a device, but one that sends a looooooong number that would be a hash of the fingerprint to the mcu
and not a small integer index ...

[pcprogrammer]

Well what do you expect from a 20 dollar device. 

[dobsonr741]

So am I missing something here? What's the point of using them? Is it only for projects that can guarantee (if such a feat was even possible) that the sensor cannot be disconnected from the rest of the device?

Welcome to security risk assessment!
First, think about what is the value of the thing you are protecting?
What is the cost of a false positive and a false negative decision?
What is the cost of effort defeating the protection?
Can you detect if the detection was tampered with?
What is the cost of implementing the protection?

Your $20 sensor might be an optimal choice for some scenarios. That's why it's on the market. But not for everyone.

[luckycheese]

Well what do you expect from a 20 dollar device.

Well, definitely more than this. 20 bucks for a 160x160 (or 192x192) capacitive sensor array + MCU doesn't sound outrageously cheap. And even if I wanted to pay more, what are the choices? Because I haven't found any. And I don't think sensors used in most phones/laptops are more expensive than that.

I'm also searching for such a device, but one that sends a looooooong number that would be a hash of the fingerprint to the mcu
and not a small integer index ...

That would already be much much better, because then you need to evesdrop an actual authentication instead of always returning index 1. Sure you can still MITM the communication, but if you just found/stole the device, you wouldn't easily be able to hack it.

Your $20 sensor might be an optimal choice for some scenarios.

Sure, we could argue that it might be useful in a stationary device inside a metal case. If you can't rip the sensor off, you can't easily hack it. But in a handheld device (or let's say an encrypted USB drive) it gives you a false sense of securing while making the device less secure than when using a regular PIN.

But not for everyone.

And that would be fine if there were other options that are viable for hobbyists. And the technology itself is very widely used, so I guess I'm baffled that such options aren't available.

[coppice]

A few years ago Atmel (when it was still Atmel) had a cheap fingerprint scanner solution that I had an EVM for (I can't remember how it came into my hands). It was the sort where you wipe your finger over a line scanner, rather than the $20 finger press design the OP showed, but it worked well.

[pcprogrammer]

It has been long ago that I worked with biometrics devices but what I recall of it was they used imaging arrays instead of capacitive arrays and were looking at incorporating additional security measures like checking on heart beat and blood flow to make sure the finger used is alive. Also an important aspect of fraud prevention.

I have no idea what the status of these developments are at the moment, but I recon that proper devices will be way more expensive then 20 bucks.

For better security it would need to use encrypted communication based on session keys etc, to overcome hacks due to listening in on the communication, but this also makes for more expensive development of your own device.

So the list of dobsonr741 is a nice insight into what you have to think about.

[luckycheese]

It was the sort where you wipe your finger over a line scanner,

I remember those from HP iPAQs. That was a whiiiiile ago

but what I recall of it was they used imaging arrays instead of capacitive arrays

You might be right.

were looking at incorporating additional security measures like checking on heart beat and blood flow to make sure the finger used is alive.

Yeah, that definitely sounds more expensive.

For better security it would need to use encrypted communication based on session keys etc, to overcome hacks due to listening in on the communication, but this also makes for more expensive development of your own device.

Encrypted comms is exactly what I am looking for. Something like what STSAFE-A110 secure element does. Or Microsoft's SDCP protocol for fingerprint readers (though that hasn't worked all that well in practice it seems: )

So the list of dobsonr741 is a nice insight into what you have to think about.

Agreed. And I know that everything can be broken given enough time and resources.

I guess what I want is a phone-like (capactive, fairly fast) fingerprint reader that uses encryption when communicating with the host and doesn't cost an arm and a leg. Am I asking for too much?