Biometric fingerprint recognition USB3.0 memory (PD065) replay attack vulnerability
Target
PD065 v.1.19
Impact
Through this replay attack, it can be verified that an attacker who does not know the password bypasses the authentication even if an incorrect password is entered. Additionally, a function of deleting a user or adding a new malicious user can be used through a replay attack. Finally, the encrypted data can also be stolen, and the data stored inside safely can be stolen even if the encrypted password itself is not stolen.
Summary
Storage security technologies such as secure flash memory have emerged for secure storage data.
Such secure technologies include user authentication and access control technologies, and dual user authentication technologies are primarily used.
Password authentication is typical in user authentication technology and is used in conjunction with iris and fingerprint authentication. For this reason, we recently selected Wizflat's DM PD065 secure flash memory, one of the most used secure flash memories, to analyze the vulnerability of replay attacks of the password authentication feature applied to the product.
The security flash memory (DM PD065) uses a total of two user authentication technologies: password authentication and fingerprint authentication.
In other words, a user is identified through their fingerprint and password, and if any information is exposed, the protected data of the authorized user can be accessed maliciously.
In password authentication technology, users who use the product set their own passwords.
Analysis
The method applied to fingerprint recognition USB, which is an analysis target, entails the input password being transmitted to the *Authentication Module, and the *Authentication Module compares the registered password with the input password. Additionally, the authentication result (the validity of the password), which is the result of the comparison, is determined and transmitted to the *management program (Fingertool).
Owing to this method, vulnerabilities of existing password authentication technology, such as the hard-coded password vulnerability in which the password is exposed in the source code as it is, do not appear. However, in this authentication method, the result is transmitted to the *management program, and the user is authenticated based on the result. This implies that even if a malicious attacker collects the correct (normal) authentication result first and enters an incorrect (abnormal) password, replay attack that can bypass the authentication based on the collected result can occur.
Considering the vulnerability of the replay attack through the analysis result, the *Authentication Module is the hardware, the USB in this context, to be analyzed and the authentication result is received by the *management program. Therefore, to obtain the outcome of receiving the authentication result from the hardware, the analysis was performed using the DeviceIoControl function. Because of the function analysis, a total of 8 parameters were in place when calling the DeviceIoControl function, and important information among them was stored in the IN Buffer and OutBuffer. In addition, data transferred to the driver was stored in the InBuffer and data transferred from the driver is stored in OutBuffer. Based on this analysis result, after entering the correct password, the data stored in OutBuffer can be recorded, and even if an incorrect password is entered, the recorded data can be forcibly injected. Consequently, it can be confirmed that the authentication was performed normally.
DeviceIoControl Function

correct password

incorrect password

Patches
Not patched
Workarounds
Code Obfuscation, Code Encryption, Digital Watermarking etc..
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Jae hyuk Lee/south korea/gurmggg@cu.ac.kr
For more information
If you have any questions or comments about this advisory:
Biometric fingerprint recognition USB3.0 memory (PD065) replay attack vulnerability
Target
PD065 v.1.19
Impact
Through this replay attack, it can be verified that an attacker who does not know the password bypasses the authentication even if an incorrect password is entered. Additionally, a function of deleting a user or adding a new malicious user can be used through a replay attack. Finally, the encrypted data can also be stolen, and the data stored inside safely can be stolen even if the encrypted password itself is not stolen.
Summary
Storage security technologies such as secure flash memory have emerged for secure storage data.
Such secure technologies include user authentication and access control technologies, and dual user authentication technologies are primarily used.
Password authentication is typical in user authentication technology and is used in conjunction with iris and fingerprint authentication. For this reason, we recently selected Wizflat's DM PD065 secure flash memory, one of the most used secure flash memories, to analyze the vulnerability of replay attacks of the password authentication feature applied to the product.
The security flash memory (DM PD065) uses a total of two user authentication technologies: password authentication and fingerprint authentication.
In other words, a user is identified through their fingerprint and password, and if any information is exposed, the protected data of the authorized user can be accessed maliciously.
In password authentication technology, users who use the product set their own passwords.
Analysis
The method applied to fingerprint recognition USB, which is an analysis target, entails the input password being transmitted to the *Authentication Module, and the *Authentication Module compares the registered password with the input password. Additionally, the authentication result (the validity of the password), which is the result of the comparison, is determined and transmitted to the *management program (Fingertool).
Owing to this method, vulnerabilities of existing password authentication technology, such as the hard-coded password vulnerability in which the password is exposed in the source code as it is, do not appear. However, in this authentication method, the result is transmitted to the *management program, and the user is authenticated based on the result. This implies that even if a malicious attacker collects the correct (normal) authentication result first and enters an incorrect (abnormal) password, replay attack that can bypass the authentication based on the collected result can occur.
Considering the vulnerability of the replay attack through the analysis result, the *Authentication Module is the hardware, the USB in this context, to be analyzed and the authentication result is received by the *management program. Therefore, to obtain the outcome of receiving the authentication result from the hardware, the analysis was performed using the DeviceIoControl function. Because of the function analysis, a total of 8 parameters were in place when calling the DeviceIoControl function, and important information among them was stored in the IN Buffer and OutBuffer. In addition, data transferred to the driver was stored in the InBuffer and data transferred from the driver is stored in OutBuffer. Based on this analysis result, after entering the correct password, the data stored in OutBuffer can be recorded, and even if an incorrect password is entered, the recorded data can be forcibly injected. Consequently, it can be confirmed that the authentication was performed normally.
DeviceIoControl Function
correct password
incorrect password
Patches
Not patched
Workarounds
Code Obfuscation, Code Encryption, Digital Watermarking etc..
Discoverer(s)/Credits
Kyungroul Lee/South Korea/carpedm@mnu.ac.kr
Jae hyuk Lee/south korea/gurmggg@cu.ac.kr
For more information
If you have any questions or comments about this advisory: