Open Source Summit + ELC North America 2019

Biometric authentication provides distinguished advantages over other techniques such as password-based ones; Biometric information is always with and unique to an individual, and hardly forgeable. One of the most classic biometric authentication is to use fingerprint, which is very popularly used these days in mobile banking or healthcare industry, for 2-factor authentication schemes. The benefits, however, come with an inherent risk: fingerprints cannot be changed once they are stolen.

In this talk, Seong-Joong Kim will address security problems that reside in the most popular open source for supporting fingerprint readers. After auditing, he found several flaws in encryption and key derivation process of the project, which may lead to dreadful consequences: an attacker can extract individual fingerprint images between a fingerprint scanner and a host, or can steal original fingerprints from the fingerprint DB. He will demonstrate those attacks and discuss possible countermeasures.