On Investigating the Effectiveness of Biometric Readers in Thwarting Network Attacks: A Secure Architecture Design Proposal

Transcription

1 On Investigating the Effectiveness of Biometric Readers in Thwarting Network Attacks: A Secure Architecture Design Proposal Abstract Biometrics readers are deployed in many public sites and are used for user identification and verification. Nowadays, most biometrics readers can be connected to local area networks (LANs), and consequently they are potential targets for network attacks. This paper investigates the robustness of several fingerprint and iris readers against common denial of service (DoS) attacks. This investigation has been conducted using a set of laboratory experiments and DoS attack generator tools. The experiments show clearly that the tested biometric readers are very vulnerable to common DoS attacks, and their recognition performances deteriorate significantly once they are under DoS attacks. Finally, the paper lists some security consideration that should be taken into consideration when designing secure biometrics readers. Keywords-component; Fingerprint reader; Iris reader; Biometrics readers; Denial of Service attack (DoS); WCCAIS'2014. I. INTRODUCTION It is unquestionable that the use of biometric technologies is becoming increasingly common. Nowadays, biometrics readers, such as fingerprint, face and iris, are deployed in many public sites and are used for user identification and verification. They play an important role in implementing the security policies within institutions. Biometric reader manufacturers have been focusing on offering easy to use and practical devices with effective costs, low enrollment and recognition time, and low rate of false match and non-match. Currently, most biometrics readers are able to connect to wired and wireless networks, and communicate with remote biometric servers to exchange biometric data. However, since these devices are as any network host with IP and MAC addresses, they may be the targets of malicious network users. In fact, it is unquestionable that biometric readers should be robust enough against network attacks in order to rely on them while building secure networks and applications. That is, biometric readers should be able to thwart common network attacks; otherwise they can be easy targets for malicious users. Also, in case of network attacks, the biometric readers logs and the biometric data should be available to assist in investigating the nature and sources of the attacks. However, unsecure and vulnerable biometric readers may not contribute in finding exactly what happened on the target systems. Therefore, it is important to acquire sufficient knowledge about the security robustness of both biometric readers and the exchanged biometric data prior to designing and implementing networks and applications that use biometric technologies. In this paper, we investigated the effect of common network attacks on the performance of several fingerprint and iris readers. Practically, experiments are conducted using DoS attacks and ARP cache poisoning attack. The experiments consist mainly into launching several types of network attacks targeting biometric readers, and then studying the robustness of the tested readers against the attacks by analyzing their response time and their ability to continue communicating properly with other network devices while they are under attacks. The remainder of this paper is organized as follows. Section 2 introduces the network attacks that have been used during the experiments. Section 3 presents an overview of the biometrics readers that have been tested. Then, in Section 4, we present and analyze the experiments results related to the resilience of the tested biometrics readers against the network attacks. Section 5 lists some security consideration that should be taken into consideration when designing secure biometric readers. Finally, Section 6 concludes the paper. II. BACKGROUND: DOS AND ARP CACHE POISONING ATTACKS The investigation conducted in this paper uses common DoS attacks to evaluate the resilience of several fingerprint and iris readers against these attacks. Also, we investigated the ability of ARP cache poisoning attack to corrupt the ARP cache entries of the biometrics readers. Hosts with corrupted ARP caches are usually unable to communicate properly with the other network hosts [18]. Consequently, a DoS situation may emerge from corrupting the ARP caches of target network hosts.

2 A. DoS Attacks Commonly, a DoS attack attempts to render a system unusable or significantly slows down the system for legitimate users by overloading the resources so no one else can access it. A DoS attack may target a user, to prevent him from making outgoing connections on the network. A DoS attack may also target an entire organization, to either prevent outgoing traffic or to prevent incoming traffic to certain network services, such as the organization web page. DoS attacks are much easier to accomplish than remotely gaining administrative access to a target system. Because of this, DoS attacks have become very common on the Internet. A DoS attack can either be deliberate or accidental. It is caused deliberately when an unauthorized user actively overloads a resource. It is caused accidentally when an authorized user unintentionally does something that causes resources to become unavailable. Most DoS attacks rely upon weaknesses in the TCP/IP protocols. The next sub-sections introduce the selected common DoS attacks, used in this paper's experiments, namely the SYN flood, Land, Teardrop and UDP flood attacks. Land Attack: Land attack occurs when an attacker sends spoofed TCP SYN packets (connection initiation) with the target host's IP address and an open port as both source and destination. The target host responds by sending the SYN-ACK packet to itself, creating an empty connection that lasts until the idle timeout value is reached. Flooding a system with such empty connections can overwhelm the system, causing a DoS (Figure 1) situation. Figure 1. The Land attack SYN Flood Attack: A SYN flood occurs when a host becomes so overwhelmed by SYN packets initiating incomplete connection requests that it can no longer process legitimate connection requests. When a client system attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a sequence set of messages known as a three-way handshake. In fact, the client system begins by sending a SYN (synchronization) message to the server. The server then acknowledges the SYN message by sending a SYN-ACK (acknowledgment) message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then opened, and the service-specific data can be exchanged between the client and the server. The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to the client, but it has not yet received the final ACK message. This is what meant by a half-opened connection. The server has in its system memory a built-in data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-opened connections (Figure 2). Creating half opened connection is easily accomplished with IP spoofing. The attacker s system sends SYN messages to the victim s server that appear to be legitimate, but in fact, the source address is spoofed to a system that is not currently connected to the network. This means that the final ACK message is never sent to the victim server. Because the source address is spoofed, there is no way to determine the identity of the true attacker when the packet arrives at the victim s system.

3 Figure 2. The SYN Flood attack Teardrop Attack: Teardrop attack target vulnerability in the way fragmented IP packets are reassembled. Fragmentation is necessary when IP datagrams are larger than the maximum transmission unit (MUT) of a network segment across which the datagrams must traverse. In order to successfully reassemble packets at the receiving end, the IP header for each fragmented packet includes an offset to identify the fragment s position in the original unfragmented packet. In a Teardrop attack, packet fragments are deliberately fabricated with overlapping offset fields causing the host to hang or crash when it tries to reassemble them. Figure 3 shows that the second fragment packet purports to begin 20 bytes earlier (at 800) than the first fragment packet ends (at 820). The offset of fragment Packet #2 is not in accord with the packet length of fragment Packet #1. This discrepancy can cause some systems to crash during the reassembly attempt. Figure 3. The Teardrop attack UDP Flood Attack: UDP is a connectionless protocol and it does not require any connection setup procedure to transfer data. A UDP Flood attack is possible when an attacker sends a UDP packet to a random port on the victim system. When the victim system receives a UDP packet, it will determine what application is waiting on the destination UDP port. Two cases are possible. If there is no application that is waiting on the port (closed UDP port), the victim host will generate an ICMP packet of destination unreachable to the forged source address. However, if there is an application running on the destination UDP port, then the application will handle the UDP packet. In both cases, if enough UDP packets are delivered to destination UDP ports, the victim host or application may slow down or go down (Figure 4).

4 Figure 4. UDP Flood attack B. ARP Cache Poisoning Attack Sniffing attack consists of re-routing (redirecting) the network traffic between two target hosts to a malicious host. Then, the malicious host will forward the received packets to the original destination; so that the communication between the two target hosts is not interrupted and the two communicating hosts will not notice that their traffic is being sniffed by a malicious one. Man-in-the-Middle attack (MiM) is the most common attack used to sniff switched LAN networks. MiM attack is based on corrupting the ARP caches of target hosts using ARP cache poisoning attack [18]. ARP cache poisoning attack is the malicious act, by a host in a LAN, of introducing a spurious IP address to MAC address mapping in another host s ARP cache. This can be done by manipulating directly the ARP cache of a target host, independently of the ARP messages sent by the target host. To do that, the malicious host can either add a new fake entry in the target host s ARP cache, or update an already existing entry by fake IP and MAC addresses. In MiM attack, the malicious user first enables the host s IP packet routing, in order to become a router and be able to forward the redirected packets. Then, using the ARP cache poisoning attack, the malicious host corrupts the ARP caches of the two target hosts, in order to force the two hosts to forward all their packets to the malicious host. It is important to notice that if the malicious host corrupts the ARP caches of the two target hosts without enabling its IP packet routing, then the two hosts will not be able to exchange packets and it will be a DoS attack. In this case, the malicious host does not forward the received packets to their legitimate destination as shown in Figure 5. Figure 5. Biometric data sniffing based on the MiM attack

5 III. BIOMETRICS READERS In 2001 MIT Technology Review [3] named biometrics as one of the top ten emerging technologies that will change the world. The term Biometric comes from the Greek words bio (life) and metric (to measure). Biometrics refer to technologies used for measuring and analyzing a person's unique characteristics. There are two types of biometrics: behavioral and physical. Behavioral biometrics are generally used for verification while physical biometrics can be used for either identification or verification. Identification is determining who a person is. It involves trying to find a match for a person's biometric data in a database containing records of biometric information about people. This method requires time and a large amount of processing power, especially if the database is very large. Verification is determining if a person is who he/she say he/she really is. It involves comparing a user's biometric data to the previously recorded data for that person to ensure that this is the same person. This method requires less processing power and time, and is usually used for authentications and access control. The main physical biometrics technologies include fingerprint, iris, retina, hand geometry, and face features [11,12]. There are also a number of behavioral biometric technologies such as voice recognition (analyzing a speaker's vocal behavior), keystroke patterns (measuring the time spacing of typed words), gait recognition (manner of walking), or signature (analyzing the way you sign). Other biometric techniques still in exploratory stages include DNA biometrics, ear shape, fingernails, and odor [12]. The most common types of biometric technologies are fingerprint, iris, voice, hand geometry, and face recognition [8,10,11, 12]. Yet, there is not one single biometric technology that would be ideal for all applications. Each technology has its own benefits and weaknesses. Nowadays, fingerprint and iris technologies are widely used [1] because they are fast, reliable, stable, cost effective, and provide excellent identification accuracy rates. Iris recognition is the most precise of all biometric identification systems. The false acceptance ratio is so low that the probability of falsely identifying one individual as another is virtually zero [9]. For these reasons, this paper is focusing on investigating the effect of common network DoS attacks on solely fingerprint and iris readers. IV. ROBUSTNESS OF BIOMETRIC REDAERS AGAINST DOS ATTACKS: EXPERIMENTS To investigate the robustness of fingerprint and iris readers against DoS attacks, two laboratory experiments are conducted using DoS attack generation tools. Practically, we investigated the effect of four common DoS attacks on the performance of several fingerprint and iris readers. In addition, we investigated the effect of ARP cache poisoning attack on the entries of the ARP caches of the readers. The proposed experimental method consists mainly into launching first several types of network DoS attacks targeting fingerprint and iris readers, and then studying the robustness of the readers by analyzing their response time and their ability to continue communicating properly with other network devices while they are under attacks A. Network Architecture Figure 6 shows the network architecture used in the experiments. A DoS attack generator host, a biometric server, a fingerprint reader and an iris reader are connected to a switch. B. DoS Attack Tools The tools used to generate the DoS attacks are: Figure 6. Network architecture

6 FrameIP packet generator [5] and CommView Visual Packet Builder [2] are packet generators that allow generating IP and ARP packets. The tools can be used by the attack host to generate the Land, Teardrop, and UDP flood attacks; as well as to perform ARP cache poisoning attack. SYNFlood tool [17] is a ready-to-use attack tool used to generate the SYN flood attack. 1) Building Land attack packets The user can use a packet generator tool to build packets that produce the Land attack. For example, the user can use an online command tool, such as FrameIP Packet Generator, or a more friendly and easy to use GUI tool, such as CommView Visual Packet builder. In this paper, CommView Visual Packet Builder is used to generate Land attack. Figure 7 shows a screenshot of how a spoofed TCP SYN packet is used to build a Land attack packet. The packet has the source IP address set to the destination IP address, and the source port number set to the destination port number. Figure 7. A Land attack packet built using CommView Visual Packet Builder 2) Building Teardrop attack packets To generate a Teardrop attack, two fragmented packets have to be built. The packets belong to the same original packet and have the same IP s Identification (ID). The field ID includes an identifying value assigned by the sender host to aid in assembling the fragments of a datagram. However, the two fragmented packets have overlapping offset values. Using CommView Visual Packet Builder, figures 8 and 9 show the two example fragmented packets with overlapped offset values leading to the Teardrop attack.

7 Figure 8. The first fragment packet of a Teardrop attack Figure 9. The second fragment packet of a Teardrop attack 3) Building UDP flood attack packets In an UDP flood attack packet, the source IP address should be set to a spoofed or random IP address. The destination port should be set to a number of an open UDP port in the victim host.

8 There are many available ready-to-use UDP flood attack tools. First, the attacker can use any port scanner tool to identify the list of open UDP ports at the victim host. Then, one open UDP port number is selected and is used as the destination port number in the UDP flood attack packets. For example, Figure 10 shows a screenshot of the result of a UDP port scanning of a target host, using Fast Port Scanner tool [4]. Figure 10. UDP port scanning using Fast Port Scanner tool To build UDP flood attack packets, the user has to use a packet builder tool that allows including spoofed or random IP addresses in the source IP field of the IP header. Random or spoofed source IP addresses allow hiding the real source IP address of the attacker host. FrameIP Packet Generator has the ability to generate UDP packets with random or spoofed source IP addresses. Figure 11 is a screenshot of the online command of FrameIP that allows generating UDP flood traffic to the destination UDP port 53 of the target host with IP address Figure 11. Frameip s online command for generating UDP flood traffic 4) Building SYN flood attack packets There are many available ready-to-use SYN flood attack tools. As an example, Figure 12 shows the online command used to generate the SYN flood attack, using the tool SYNflood. After executing the online command, a flood of fake TCP SYN packets is sent to the target biometric reader whose IP address is

9 Figure 12. The SYN flood attack online command During the experiment, all above four DoS attacks (Land, Teardrop, UDP flood, and SYN flood attacks) are lunched simultaneously, to increase their effect. The following section presents the result of the experiments. C. DoS Attacks Results for Fingerprint Readers In this experiment, we tested three fingerprint readers, namely: NitGen Fingerprint reader NAC 3000 [15], F7 Standalone Biometric Access Control Terminal [6], MX600 Fingerprint Access Control [14]. Table 1 summarizes the experiments results for each fingerprint reader. The DoS attacks had a negative effect on the readers performance. That is, few seconds after launching the DoS attacks, the recognition performances of all tested fingerprint readers deteriorated significantly. Practically, the recognition status of the readers became unstable under the DoS attacks. In fact, the readers recognition response was very slow or there was no response to Ping requests. In addition, the biometrics readers often disconnected from the network, especially when the attack traffic rate increase significantly. Table 1. DoS attacks results for fingerprint readers Fingerprint readers Effect of DoS attacks on the recognition performance of the fingerprint readers NitGen Fingerprint reader NAC 3000 Recognition status is unstable: F7 Standalone Biometric Access Control Terminal - The reader recognition response is very slow MX600 Fingerprint Access Control or there is no response to Ping requests. - The readers often disconnect from the network. For example, Figure 13 shows that before launching the DoS attacks, the response times were less than 0.4 ms when pinging the NitGen Fingerprint reader NAC However, the response times increased considerably and reached more than 20 ms just after launching the attacks. This is due to the fact that after launching the DoS attacks, the fingerprint reader became overloaded with treating the flood of packets and consequently became unable to process the Ping requests instantly. In fact, DoS attacks have usually a major negative effect on victim system s performance by making their processors heavily loaded with processing malicious requests, resulting into delaying the processing of legitimate requests that do not intend to harm the system s performance.

10 Figure 13. Response time of Nitgen Fingerprint reader NAC 3000 before and during the DoS attacks D. DoS Attacks Results for Iris Readers In this experiment, we tested three iris readers, namely: Panasonic Iris reader BM-ET330 [16], LG s IrisAccess 4000 [13], IG-AD100 Iris Camera System [7]. Table 2 summarizes the experiments results for each iris reader. As for the case of fingerprint readers, the DoS attacks had a negative effect on the readers performance. Few seconds after launching the DoS attacks, the recognition performances of all tested iris readers deteriorated significantly. Practically, the recognition status of the readers became unstable under the DoS attacks. In fact, the reader recognition response was very slow or there was no response. The readers disconnected from the network. But, when the DoS attacks stopped, the iris readers reconnected again to the network. Table 2. DoS attacks results for iris readers Effect of DoS attacks on the recognition performance of the iris readers Panasonic Iris reader BM-ET330 Recognition status is unstable: LG s IrisAccess The reader recognition response is very slow or there is IG-AD100 Iris Camera System no response to Ping requests. - The readers disconnected from the network. But, when the DoS attack stopped, the readers reconnected to the network. Iris readers For example, Figure 14 shows that before launching the DoS attacks, the response times were less than 0.1 ms when pinging the Panasonic Iris reader BM-ET330 [16]. However, just after launching the attacks, the reader crashed and consequently there were no ping responses. The reader became unable to recognize users and completely disconnected from the network. When the DoS attack stopped, the reader reconnected to the network.

11 Figure 14. Response time of Panasonic Iris reader BM-ET330 of before and after the DoS attacks E. ARP Cache Poisoning Attack Results This attack consists into attempting to corrupt the ARP caches of the fingerprint and iris readers. Network hosts with corrupted ARP caches may not be able to communicate properly with other network hosts. For example, the following shows the contents of an ARP request packet that intends to corrupt an ARP entry of a target biometric reader with a fake IP/MAC entry: Operation Source IP address Source MAC address Destination IP address ARP header 1 (ARP request) IP of a network host Fake MAC address Any address Destination MAC address 00:00:00:00:00:00 Source MAC address Destination MAC address Type Ethernet header Any address MAC address of the target biometric reader ARP (0x0806) As an example, CommView Visual Packet Builder tool is used to build such a fake ARP request packet, as shown in Figure 15. In fact, the Sender Address IP ( ) is assigned a fake MAC address ( ). Hence, if the target reader is vulnerable to ARP cache poisoning attack, this fake ARP request will allow creating fake IP/MAC entry in the target reader s ARP cache. Consequently, the target reader will not be able to communicate properly with the host whose IP address is specified in the fake IP/MAC entry.

12 Figure 15. ARP cache poisoning packet generation using CommView Visual Packet Builder tool The experiments result indicates that the ARP cache poisoning attack has no effect on the tested readers. Consequently, the readers are protected from this type of attack. We believe that this is because of the simple implementation of the ARP protocol in these readers. In fact, the readers do not allow updating their ARP caches. They use static ARP cache entries, so that the entries cannot be updated by fake ARP request and replies. The ARP cache entries are created when the readers connect to the network. Once they get the MAC addresses of the biometric servers, they create static entries (IP/MAC addresses) in their ARP caches. V. SECURE BIOMETRICS READERS DESIGN CONSIDERATION The experiments results demonstrate clearly that the tested biometric readers are very vulnerable to common DoS attacks, and their recognition performances significantly deteriorate just after launching the attacks. In fact, the security analysis conducted in this paper proves that the tested biometric readers have been designed without any security consideration. Biometric readers usually are focusing on enhancing the recognition performance (Identification accuracy rates, false acceptance ratios) of the biometric algorithms and technologies. Hence, they are easy targets for malicious network traffic and users. Usually, biometric devices are designed to offer ease to use and practical user interfaces with effective costs, low enrollment and recognition time, and low false non-match and match rates. However, our work in this paper shows that they are not designed to include basic security functions, mainly network packet filtering capabilities to filter the network traffic, and to integrate Intrusion Detection/Prevention capabilities to detect and prevent network attacks and malicious network activities. Hence, biometric devices can be easily crashed or disconnected from the network by common DoS attacks. Consequently, their availability and efficiency may become questionable within any institution, and it will be difficult to rely on such devices to implement secure networks and biometric systems. The following lists some basic security considerations that should be taken into consideration when designing secure biometric readers to limit the effect of DoS attacks: The biometric reader s user interface should allow the filtering of network packets, such as blocking all incoming ping requests. The ARP cache of the biometric reader should be static, so that malicious ARP packets cannot update its contents with fake IP/MAC entries. This would allow protecting the reader from DoS attacks based on ARP cache poisoning attack. Network traffic with high speed rate targeting the biometric reader should be denied from reaching the kernel of the reader. This would allow protecting the reader from many common DoS flood attacks, such as SYN flood attack. Figure 16 shows typical secure biometric reader architecture. That is, commonly, to offer secure biometric readers, it is important to design readers that are able to offer at least the following basic security modules: 1. Firewall module: Allow implementing at least the basic common filtering rules to filter the network traffic exchanged by biometric readers.

13 2. Intrusion detection module: Allow protecting and preventing at least common network attacks, mainly DoS attacks. This intrusion detection module should be able to use basic common attack signatures and be able to download new attach signatures. 3. Encryption module: Allow encrypting the traffic between the biometric readers and servers. The encryption security capability will prevent malicious users from being able to spy and analyze the exchanged network traffic between the biometric readers and servers since the traffic is encrypted. Usually, malicious users use MiM attack techniques to collect the exchanged network traffic between the biometric readers and servers. Figure 16. Typical secure biometric reader architecture VI. CONCLUSION This paper investigated the effect of common DoS attacks on the performance of several fingerprint and iris readers. Experiments are conducted using common DoS and ARP cache poisoning attacks. The experiments results demonstrate clearly that the tested biometric readers lack robust security solutions, such as firewall packet filtering or Intrusion Detection/Prevention capabilities, and consequently are easy targets for malicious network traffic and users. However, the tested biometric devices are protected from ARP cache poisoning attack since they use simple implementation of the ARP protocol. In fact, they use static ARP caches entries; instead of using dynamic entries as it is the case in ordinary computers. In order to enhance the availability and efficiency of biometric readers and implement secure biometric based systems, the paper listed several security functions that should be incorporated into biometric readers, mainly network packet filtering, intrusion detection and encryption capabilities. REFERENCES [1] A. Al-Raisi, and A. Al-Khouri, Iris recognition and the challenge of homeland and border control security in UAE, Journal of Telematics and Informatics. Vol. 25 (2008), pp [2] CommView Visual Packet Builder, [3] Emerging Technologies That Will Change the World, Ten emerging technologies that will change the world, MIT Technology Review, January/February [4] Fast Port Scanner tool, [5] FrameIP Packet Generator, [6] F7 Standalone Biometric Access Control Terminal, [7] IG-AD100 Iris Camera System, [8] J. Chirillo, and S. Blaul, Implementing biometric security, Wiley Publisher, [9] J. Duagman, How iris recognition works, IEEE Transactions on Circuits and Systems for Video Technology, Vol. 14 (2004), pp [10] J. Duagman, Recognizing persons by their iris patterns, The 5th Chinese Conference on Biometric Recognition, SINOBIOMETRICS, China (2004), pp [11] J. L. Wayman, A. K. Jain, D. Maltoni, and D. Maio, Biometric systems: Technology design and performance evaluation, Springer Publisher, 2005.

14 [12] J. R. Vacca, Biometric technologies and verification systems, Butterworth-Heinemann Publisher, [13] LG s IrisAccess 4000, [14] MX600 Fingerprint Access Control, [15] Nitgen Fingerprint reader NAC 3000, Specification Sheet, [16] Panasonic Iris reader BM-ET330, Specification Sheet, ftp://ftp.panasonic.com/pub/panasonic/cctv/specsheets/bm-et330.pdf. [17] SYN flood [18] Z. Trabelsi, and K. Shuaib, A novel Man-in-the-Middle intrusion detection scheme for switched LANs, The International Journal of Computers and Applications. Vol. 3, No. 3 (2008), pp