HandPwning: security pitfalls of hand-geometry recognition-based access control systems

In a previous research it was attempted to defeat different fingerprint-based PACS (Physical Access Control Systems) [0], some successes led to extend the research to other biometric PACS in the market with particular interest on those used in Critical Infrastructures (e.g. Industrial Plants, Factories, Water Treatment, etc.). Biometrics applied to PACS (Physical Access Control Systems) has been an hot-topic for a few years now. The spread of biometric access control & time attendance systems among corporate, industrial and military environments has surged. And with it, also the number of potential attack vectors has increased. In this blogpost and related paper, after a brief overview of the state of art of available biometric technologies used in PACS to authenticate and authorize users, we will investigate one technology among others (usually perceived less-invasive) that has been widely adopted in some specific fields (e.g. industrial plants, airports, food industry, etc.): the “Handpunch” access control & time attendance systems. 

The “Handpunch” PACS are based on the hand-geometry recognition. In this research we will first have a look how this technology work, subsequently, we will focus our attention on reviewing some of existing Handpunch devices on the market: from a physical security point-of-view until reversing their communication protocol. 

Moreover, it will be demonstrated how to remotely enroll a new super-admin into it (i.e. persistent backdoor), how to dump existing users information and will be also released an opensource tool-suite: HandScan & HandPwner. 

Eventually, thanks the cooperation with Shodan’s developer, it has been confirmed that more than 1200 of these vulnerable devices were found exposed on the Internet. Finally, we will conclude with practical and actionable countermeasures to prevent these attacks and how to harden these devices.

More Videos: