Reversing a Fingerprint Reader Protocol (2021)

https://blog.th0m.as/misc/fingerprint-reversing/

65•thejj100100•6mo ago

Comments

abstractspoon•6mo ago

Excellent

Liftyee•6mo ago

Damn, I always thought that the fingerprint data was encoded somehow and never left the sensor hardware itself! OS-level access to the imagery seems like a security risk, but also opens some interesting possibilities for alternative uses.

jeroenhd•6mo ago

AFAIK it depends per reader. This one seems to be a weird webcam on steroids, but others do the matching locally.

IIRC, none of them do it particularly securely.

cinntaile•6mo ago

What's the security status of fingerprints on phones? Surely they don't leave the security chip? I hope?

maxhille•6mo ago

I don't think fingerprints should be regarded as a secret.

ta8645•6mo ago

Can you please post a link to high quality images of your own fingerprints? It should be fine, probably nobody has the technology to make them show up on a threatening letter mailed to the government, or anything like that.

maxhille•6mo ago

Of course I won't, but then again I would send you pictures of any other body parts the same.

If someone gets a hand on anything you touched, they have your fingerprint. Last time you traveled to another country - did you have to give them fingerprints? Is the software running your phone closed source? Could you ambush me at night near my house and forcefully take them?

All I am saying is they are so weak as a secret that rhey should not be regarded as one.

jeroenhd•6mo ago

AFAIK many phones store the fingerprints on-chip. I haven't looked too deeply into it, though, so it's possible there's a brand out there that streams fingerprint information as a video.

On Android, there are different levels of biometrics: https://source.android.com/docs/security/features/biometric If your fingerprint scanner reports Class 3/STRONG, hardware key stores are a requirement. Anything Class 2/WEAK or higher is supposed to make sure a kernel compromise cannot leak keys/authenticate to the OS. If it's Class 1/CONVENIENCE, simply running the biometrics in the trusted execution environment (think "secure VM acting as TPM") is also permitted.

On iOS the TPM/secure element deals with credentials, they're not submitted to the CPU.

JJJollyjim•6mo ago

As noted in the article I reversed the protocol for a related Goodix device (which was on Intel so used actual SGX instead of the white-box): I used the firmware update system to insert additional vulnerabilities in the sensor firmware and extract the PSK from that side.

I did a talk about it here: https://www.youtube.com/watch?v=IyjUY-xvFw4

th0mas•6mo ago

Author here, didn't expect to see this on HN today! If you've got any questions, shoot!

unlucky666•6mo ago

Do you have more posts similar to this one? Noticed your blog was a bit empty...

th0mas•6mo ago

Ha yeah I should really get on updating some of the info there. Got derailed with work quite a bit.

Most recently did some work on BitLocker: https://news.ycombinator.com/item?id=42747877

ge96•6mo ago

The real work ha underneath the software eg. I can't write a camera driver but thankfully someone else can

That's cool the raw data image GIMP

johnflan•6mo ago

I didn't follow the byte ordering of the image format at the end. Anyone have an explanation?

pastage•6mo ago

You have four 12 bit values, they are packed into 6 bytes. Camera image formats are different but I am guessing this is probably MIPI RAW12?

EDIT: You have the code in the repo. https://github.com/tlambertz/goodix-fingerprint-reversing/bl...

mrheosuper•6mo ago

> It then proceeds to generate a new, random, PSK and sends it to the device. This represents a trust-on-first-use security model.

Wow, i expect them using hardcoded PSK, with PSK is flashed in factory.

What the News media thinks about your Indian stock investments

Running Lua on a tiny console from 2001

Google and Microsoft Paying Creators $500K+ to Promote AI Tools

New filtration technology could be game-changer in removal of PFAS

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

Kinda Surprised by Seadance2's Moderation

I Write Games in C (yes, C)

Django scales. Stop blaming the framework (part 1 of 3)

Malwarebytes Is Now in ChatGPT

Thoughts on the job market in the age of LLMs

Show HN: Stacky – certain block game clone

AIII: A public benchmark for AI narrative and political independence

SectorC: A C Compiler in 512 bytes

The API Is a Dead End; Machines Need a Labor Economy

Digital Iris [video]

New wave of GLP-1 drugs is coming–and they're stronger than Wegovy and Zepbound

Convert tempo (BPM) to millisecond durations for musical note subdivisions

Show HN: Tasty A.F.

The Contagious Taste of Cancer

U.S. Jobs Disappear at Fastest January Pace Since Great Recession

Bithumb mistakenly hands out $195M in Bitcoin to users in 'Random Box' giveaway

Beyond Agentic Coding

OpenClaw ClawHub Broken Windows Theory – If basic sorting isn't working what is?

OpenBSD Copyright Policy

OpenClaw Creator: Why 80% of Apps Will Disappear

What Happens When Technical Debt Vanishes?

AI Is Finally Eating Software's Total Market: Here's What's Next

Computer Science from the Bottom Up

Show HN: A toy compiler I built in high school (runs in browser)

You don't need Mac mini to run OpenClaw