Unfortunately, this is the high end of security for the future "internet of things". Everything else will be worse.
Something I wonder about, given network access (over the wifi?) could you upload a valid unprocessed raw fingerprint using the unvalidated "restore backup" function to trick the software into logging some valid user's fingerprint was present, gaining access to the facility?
Also I note the complete lack of other biometrics, so a photocopy of any of the recorded "fingers" taped to my finger would seem to validate me.
I would imagine that messing with the machine could be logged, but luckily it appears pretty easy to overwrite local logs with this machine.
Its highly unusual to find a biometric device that is not on a Hollywood set that is not snake oil. It would have been surprising if this device had been legit.
> Something I wonder about, given network access (over the wifi?) could you upload a valid unprocessed raw fingerprint using the unvalidated "restore backup" function to trick the software into logging some valid user's fingerprint was present, gaining access to the facility?
On the admin interface (that's not protected by a password, as we have shown), there is a link « open door », so all this is unnecessary, you can just open the door by a simple HTTP request.
> I would imagine that messing with the machine could be logged, but luckily it appears pretty easy to overwrite local logs with this machine.
Nope, the « normal » accesses are logged, but for the web interface and everything, there isn't any log.
2 comments
[ 4.2 ms ] story [ 16.7 ms ] threadSomething I wonder about, given network access (over the wifi?) could you upload a valid unprocessed raw fingerprint using the unvalidated "restore backup" function to trick the software into logging some valid user's fingerprint was present, gaining access to the facility?
Also I note the complete lack of other biometrics, so a photocopy of any of the recorded "fingers" taped to my finger would seem to validate me.
I would imagine that messing with the machine could be logged, but luckily it appears pretty easy to overwrite local logs with this machine.
Its highly unusual to find a biometric device that is not on a Hollywood set that is not snake oil. It would have been surprising if this device had been legit.
On the admin interface (that's not protected by a password, as we have shown), there is a link « open door », so all this is unnecessary, you can just open the door by a simple HTTP request.
> I would imagine that messing with the machine could be logged, but luckily it appears pretty easy to overwrite local logs with this machine.
Nope, the « normal » accesses are logged, but for the web interface and everything, there isn't any log.