Slashdot Mirror
Fingerprint-Protected USB Sticks Cracked
juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"
I've never seen a fingerprint system that was worth a damn...I was doing consulting at a company a few years back that had the "pad style" thumb readers (rather than the little scanners that are more popular now), and I "hacked" one of them for the company director by taking a deep breath and breathing on it. Warm breath condenses on the previous fingerprint and heats up the temperature sensor, and voila.
Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.
At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
"They do not provide any significant level of protection. We can only recommend that these products not be purchased."
You seldom get such unflinching prose in a review.
"Flyin' in just a sweet place,
Never been known to fail..."
And my boss has been pushing to get these deployed at our company, for the sake of security. I'm sending him this article right now.
Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^
____
~ |rip/\/\aster /\/\onkey
Didn't Mythbusters beat a bunch of fingerprint readers a couple of seasons ago? I seem to recall them using printed pictures of fingerprints with great success.
http://www.youtube.com/watch?v=oXyFmieZjiE
But it's quicker than inputting a password, and it keeps all but determined people out. Obviously, it doesn't keep those people out at all, but I dunno. A fingerprint reader, that has an every day use, and does actually save time. That's on the verge of being useful, as well as all kinds of cool. I mean *a fingerprint reader in your pocket*.
And hell, if the fingerprint reader bit ever breaks, which it will, as sure as night follows day, well at least there's a failsafe way to get your data back now.
Absolute power corrupts absolutely. indymedia
From TFA: "The software on the PC uses another command to decide whether read-only write access is possibleæ
-1 not first post
This is not the first USB-stick sold for a high price (typically 10 times the price of a normal USB stick of the same size) that doesn't actually add any security whatsoever.
Here is an article by a dutch website (the article is in english though) that does a thorough job (technical details included) of debunking a similar product.
Meanwhile, the scary thing is that government and military organizations are reported to have been actually using such products...
Every expression is true, for a given value of 'true'
Comment removed based on user account deletion
Corsair's Flash Padlock has the same issue. You can open the case through a single screw in the back of the drive and then access an electronic switch on the board, which can be easily tripped with a piece of wire, giving you access to the memory chip without having to punch in a security PIN. Hardware security methods just aren't as secure as software-based encryption.
There's a reason why certain b-grade sci-fi slasher movies portray a top secret high security building protected by some kind of hand or fingerprint scanner. They need some security lock that is insanely easy for the hero or the villian to get through. Every time you see this, you know some loser extra is going to be dead and missing a hand by the end of the flick.
"All great wisdom is contained in .signature files"
If them new fangled USB sticks are getting cracked easily, then ya'll need some stronger plastics! They don't make 'em like they used to. Back in the day we had USB sticks made from solid steel.
Somehow along the way I made a bad choice in life and now must live with 0 Karma.
There was an awesome episode of Mythbusters where they went through and cracked numerous types of fingerprint scanners.. amazingly the most sophisticated systems were extremely easy to beat (ie: using a photocopy of a brushed fingerprint). The cheaper ones worked a bit better requiring a ton of work to get by. I don't think this really is so much an issue about finger scanning as it is hardware design.
I agree 100%. However, the whole point of these devices is to protect your data in case it is lost / stolen.
The only problem is that they do not work.
There is a big market for physical security. It needs companies that will exploit it without snake oil. I like the idea of a multi-layer encryption / pass phrase / physical lock / self-destruct / whatever combination etc. idea on USB sticks and laptops etc. and I expect that products that cater to that need will grow. Unfortunately products that fail to live up to consumer demands will also continue to grow. It's a young industry.
Biometrics is even younger, and right now I don't trust any kind of biometric security mechanism.
While this is true there are some technologies that help protect the physical layer. I'm talking about smartcards and similar that have physical mechanisms designed to destroy the data if it is tampered with.
Fingerprint scanners (if used) should only be one part of the login/data access. It should always be followed up with a PIN/Password. Now you have two factor, what you have and what you know. So if what you have is compromised, you still cannot get in. AND you put tighter restrictions on what you know. Mistype password twice, account locked out..
"You're not balancing your internal energy with the environment." -Gary Busey
The reason I come here is to read the posted comments, I often find them more informative, interesting and funny than the summary or TFA. On a quick scan of the posted comments, I noticed that many many posters said " ooooh Mythbusters did this ". I am amazed by the lack of origionality of these posts (past the first one) and the fact that in an effort to get their 2 cents out there, none of these posters bothered to even scan the reader responses, much less actually read them.
How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
Not entirely. If the entire (and I mean everything) was encrypted with a unique hash calculated by your print, I think it would work.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
Having spent too many hours dealing with increasingly bizarre authentication schemes at various web sites, and more hours reading about each new form of high tech security wizardry, I've come to conclude that an awful lot of companies are ignoring the obvious - that the only really secure way to protect data is to prevent physical access to it.
As long as someone can get access to the container, they can find a way in.
Obviously we're balancing convenience with security, but when some employee takes your whole customer database off-site on his laptop your problem is not encryption, it's keeping that data in a controlled environment.
Three Squirrels
The greater problem with any security technology is how can you be sure the best cracking minds are working in the public domain? Without it, we are all virtually inescapable of the government and its pryings. I do not have the technical know-how or time to test just how uncrackable my encryption is. Most likely, neither do you.
What we do have is common sense enough to know we need a cracking body that works for the public good. It's probably best they stay as anonymous as I. So "anonymous great crackers" out there. Please show us that you've cracked what you have be it a cipher, software bug, or physical device. Perhaps there should be a repository of encrypted files for you to work on. It's getting late...I must be going.
It goes without saying that there are a large number of low-end sensors disguised as excellent front-ends to biometric authentication. You need to segregate two things.
1. the sensor itself.
2. the implementation of the sensor. (e.g. sensor as a front end)
There are two legitimate sensor manufacturers in the U.S. and one very well-known French company all of whom do not sell to just anyone anywhere and at prices absolutely out of range for a TV show and the average company.
Another thing to keep in mind is even IF there was budget for a good device, (oh to dream) there are implementation issues that can make the hardware worthless. As is often the case, meaningful implementations tend to complicate practically all business/operations matters which is why no company bothers.
To generalize that all fingerprint scanners suck is just wrong.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
No, sorry, that's just wrong. If the data is properly encrypted with a decent cipher using a key with sufficient entropy, you should assume it has not been compromised.
If the encryption you are using is so poor that the loss of your USB stick means you consider the data to be compromised, why bother encrypting at all?!!!
When will fingerprint "security" die?
Obligatory links:
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
http://www.schneier.com/crypto-gram-9808.html#biometrics
It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.
)9TSS
Your print never reads the same twice (fingerprints are a poor biometric for this reason - you can only really guess within a certain probability that it's the right one), so to do what you're suggesting you'd have to store the hash on the device.
So your security is dependent on them hiding the hash to the rest of the data. Security is only as strong as its weakest point.
Biometrics has its place. This isn't it.
Most of the time, a username/password is a perfectly good access-control method. In some cases (either high-security environments or connections over hostile space), a second authentication method is advised. Now we have a two-factor authentication. Typical example is "log onto the firewall to allow you to log onto a machine inside the firewall." SecureID cards and the like also work as a good second-factor method.
A biometric challenge is arguably an acceptable second-factor when added to a username/password system. It is NOT a substitute for such a system.
However, biometrics are HARD to do correctly! Cheap scanners suck and are generally insecure by design. Expensive scanners suck, but are generally designed better. None are foolproof, yet.
Also, biometric authentication carries a risk. If your username and password are stolen, then you can change your password and stop the damage. If your biometric ID (retinal scan, fingerprint, etc.) are successfully 'stolen,' then you have lost your authentication ability for all time! If your fingerprint is compromised, you can NEVER USE it as an authentication method again! There ain't no resetting fingerprints!
So we have a large expense for an imperfect system with exactly one possible compromise per user per lifetime. This isn't a primary ID method. It's not a good second-factor ID method either. In EXTREME security environments, it might make sense as a third-factor authorization system, along with username/password and a (pseudo-) one-time pad (i.e. SecureID).
If you don't NEED that type of security, then DON'T USE YOUR BIOMETRIC DATA! One compromise, and it's useless. Forever. Period.
Oh yeah, but I forget the most important part: Fingerprint scanners are shiny and cool, just like in the movies. Bah.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Then the problem is a technical one, not a logical one. You propose that the idea will never be secure because we currently can't do it that way... that is must be done some other way. Just focus on what you need to actually be doing make it possible, not assume that it can't ever be done and you are stuck with nasty obscurities.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
In my previous system administration job one of the managers got some kind of deal on a big box of encrypted memory sticks - something like 100 sticks - that we put into our pool of thumb drives our engineers used for transferring configuration files and the like. We never used the encryption technology (among other things, embedded controllers don't have the ability to run Windows executables to read the password), instead we configured them as one big open partition. Unfortunately they were particularly sensitive to being damaged if they were pulled out without unmounting the partition - possibly due to the added complexity of the encryption technology. When that happened, unlike normal sticks, they were trashed. You couldn't reformat them, and contacting the company to find out how to securely erase them led me through a maze of red tape, ending up with a demand that we send them a registered letter on company letterhead from the CEO to authorize us to receive a copy of the secure formatting program. This was duly sent but turned out to be a dead end: they never contacted us or responded to further contacts.
It's possible that they had no such program, or that the program was something like the one described here and they didn't want to let the cat out of the bag. We quit using these sticks, they were just too fragile to be worth the hassles.
Fingerprints are a source of identification not authorization. They're not private. No matter how good your sensor is, there's nothing secret about your authorization. Its a "what you have", which conveniently you always have.
If you are going to provide authorization, you need to use a "what you know" (password) to even have a minimum of security.
Doing anything else is an explicit decision to disable security. Hopefully an acceptable reduction in exchange for a necessary benefit. Most of the time its not, however... its just people who don't know what they're doing.
Someone already submitted this article under a different headline. It was rejected. Apparently we care about it now, though I'm not sure why. Even linked to the same article, and sent in by the same person, with a different description.
I guess now I know what to do if the stories I submit don't make it...
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Fingerprint systems are terrible if you really think about it. It would basically be like a password that you had, you couldn't change it, and you left it in paper version everywhere you go. There needs to be another layer of security on top of most biometric systems.
It's about as much snakeoil as the whole deal with "protection" against intrusion when you have the "protected" device physically in your hands. It's right behind unbreakable DRM.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Eh, the poor guy probably just had to put up with some password policy that says he has to have at least one non-letter character in the password.
A polar bear is a cartesian bear after a coordinate transform.
Around the world there are millions of low-level padlocks etc that will stop most petty thieves but will not deter serious thieves. Most houses have pickable locks that anyone could learn to pick, but yet most locks still serve their purpose.
The only real issue is if peeople buy these devices and think they're getting Fort Knox level security and essentially use a two-dollar padlock to secure a bank.
Engineering is the art of compromise.
Well that's stupid. Apart from the fact that using biometric data that is subject to loss, and cannot ever be changed in case of compromise...
Assuming you *had* to do it with fingerprints... why wouldn't you just come up with some algorithm that takes certain points and spaces and distances of your fingerprint, creates an encryption/decryption password based on the results, and then encrypts/decrypts your data with something like what TrueCrypt does, but using this password instead.
This way your data is actually encrypted, and not just gated.
"They said I probly shouldn't fly with just one eye," "I am Bender. Please insert girder."
This is why I have a $10 USB memory stick and I use a Truecrypt volume on it with a HMAC-Whirlpool whatever encryption it is.
When I plug it into another computer, the autostart popup comes on the screen to mount the volume, easy enough, and as almost everyone run their windows as administrator, no problem to run Truecrypt.
It works also on Linux and OSX.
And if someone steal it, good luck finding the key!
"Science will win because it works." - Stephen Hawking
Comment removed based on user account deletion
A fingerprint identifies you. It doesn't authenticate you. It's effectively your username. To use it as your password is akin to using your username as your password.
Don't underestimate the power of The Source
My reply was conjecturing that such things should exist ... but you know they do ...
Let's say, hypothetically, you could create a perfect fingerprint matching system you could use to provide a strong encryption key for encrypting/decrypting your data. Let's say the technology couldn't be fooled - it really required *your* finger, and not a rubber mold, xerox, etc. Let's even say that it uses some sort of 'salting' technique so that someone can't just figure out your key by lifting your fingerprints - that is, knowing *just* the fingerprint would not by itself be sufficient to generate the key, but is a necessary part of the algorithm. It's still a bad idea.
I for one, would rather not give anyone, anywhere, a motive for CUTTING OFF MY FINGERS. . . or simply forcing my hand into the keypad with the finger(s) still attached (maybe drug me and push my hand into the pad while I'm unconscious).
Granted, even with password security, it's true that someone could use the 'rubber hose and a pair of pliers' technique for getting my password. Or a key logger. Or a camera in a strategic position while I'm typing my password. But given the two alternatives, where you can't show a distinct advantage for fingerprints, I'd really rather stay with the simpler technology.
Fingerprint readers are kind of like a new, lazy, security guard; he kind of knows what people look like, and he'll let anyone in the building that looks close enough. Unfortunately, he _has_ to let people in who look close enough, or he'll get fired (the fingerprint reader won't be purchased).
Fingerprint readers are even worse than the human, because you can fake them so easily. So, you've got what amounts to a 2-digit combination lock on a key-locker that opens up the rest of the building.
Guys, We know that with the right tools, knowledge and ability pretty much anything can be cracked. These devices may not be able to keep security professionals or their seedier equivalent from accessing the information but it will keep the everyday Joe office worker from accessing your information. The idea is sound and it is secure against probably 99% of the worlds population. The technical elite would be able to eventually crack it regardless of which security measures were applied.
I for one think this would be a good device to keep people like your wife/husband/girlfriend/roomate from accessing information you may not want them to see.
Christopher Tarnovsky gave an interesting presentation on this related subject at BHDC 2008:
http://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf
There is a common misconception that every security system, whether physical or digital, has a weakness somewhere. But I have a way to build a system with UNBREAKABLE security.
First, you input your fingerprint, which is converted by some algorithm into an 8-bit unsigned char. Then, every byte of your data is XORed with this char. The result is written to the USB stick. Oh yeah, and to ensure that the data, once decrypted, is identical to the original data, an SHA-1 signature of the ORIGINAL data is recorded to the USB stick, too.
The ingenious part of this design is that any system can read the data off the USB stick. But you read it, you need to input your fingerprint to decrypt the information. A small sticker on each USB stick will say, "How to retrieve data in case of lost finger: Try all 256 possible keys and check the result against the SHA-1 signature."
This is completely, utterly, 100% UNBREAKABLE security, worthy of even the most demanding government organizations.
One problem is that fingerprints change. You cut your finger or play a guitar or just tend to have dry skin*... and your fingerprint changes. One issue with biometrics is that they are not static. You fingerprints, your irises, your retinas - all of them change slightly over time. It's slight enough for "there's a high probability that this reading matches person X", but too much for "we'll take this reading as a digital key". You can try to downsample the readings to compensate for long-term change and short-term fluctuations, but that reduces the quality of the key and might allow in people with similar features.
Biometrics are hard for a number of reasons. One of them is that humans tend to look different over time.
* I don't know about you, but I constantly have small blemishes on my fingers. If I was relying on hi-res fingerprint scans for anything I'd have to reset them to match the state of my fingers every few weeks.
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
I know there's a good joke in there somewhere.
Experience teaches only the teachable. -AH
Those sticks are flawed not because the fingerprint sensor sucks, but because the authentication is made on the computer.
If I got it right, those sticks should work like this
The fact that the stick uses biometrics is irrelevant. With a design like that, it would have been vulnerable even if it had PIN, RSA keys or black magic. You can just bypass the security mechanism by sending the unlock command.
Essentialy, it has the same flaw as the secustik we saw last year.
GPG 0x1B479C78
It may still be possible to create something relatively tamper-proof, by destroying the physical layer if an attempt is made.
However, it is possible to do strong encryption such that you should assume it will be secure, and there is a number of years for which you can assume that to be true. Most schemes we employ today are assumed secure for at least ten years. Without some trick (or fully-functional quantum computers), there are some schemes which will outlast the heat-death of the Universe, but 10 years is usually enough for you to change all the keys, and for any business information to be irrelevant.
Here's what I currently do -- not out of need, but because I want to:
I have a USB stick which has everything needed to boot. That's a bootloader, a Linux kernel, an initrd with the encryption keys, and occasionally some other things which need to be kept similarly secure. I boot off of this device -- no password needed at any stage, mostly, as I am most often resuming from hibernation -- and the swap partition is encrypted, too, so hibernation is secure. And this USB stick is almost never plugged in or mounted anywhere, other than for boot.
If I lose the laptop, I can destroy the USB stick and be reasonably confident that no information has been stolen from the laptop. If I lose the USB stick, I can grab one of my backups of it (not saying where those are), and use this information to change the key associated with the disk -- as this is actually a key used to decode one of the encrypted copies of the real key, stored on the disk -- in other words, I don't even have to reformat, and I can be reasonably confident that the machine is secure again.
Of course, if someone mugs me and takes both, then I have to assume the worst. It doesn't phone home yet, or have a dead man's switch of any kind. But the above scheme was really a hobby project, that took maybe twenty minutes to learn and implement (not including the time it took to format). However, that seems the least likely of any of the above scenarios.
Don't thank God, thank a doctor!
Can you explain the basic principles behind how a "secure" system works?
As pointed out in the rest of this thread, "fingerprint" != "encryption key" so how do you encrypt the data?
No sig today...
And in response god created the iron key...
https://www.ironkey.com/
No, sorry, that's just wrong. If the data is properly encrypted with a decent cipher using a key with sufficient entropy, you should assume it has not been compromised.
Also that the key must not be with the encrypted data.
Because that password scheme is what we have to live with.
Oh, and you have to change your password every ~90 days and it remembers your last 8 passwords.
I now just use Gene$Hunt1 and increment "1" everytime they make me change my password.
BTW, before the screams occur, that isn't my actual password but a good enough approximation and I just finished watching Ashes to Ashes (far inferior to Life on Mars).
OK, I take your point about losing control, but I still somewhat disagree with your conclusions. The Dolev-Yao threat model, used by all serious cryptographers, assumes that the attacker has all information at their disposal - your encrypted message, the algorithm used to encrypt, even potentially information about the content of the message (but not the exact message itself). Modern cryptography is designed on the assumption that the *only* thing protecting your data is the secrecy of the key itself.
You are really talking about risk management of information. It's not quite information at rest (e.g. on a physically secured server), and neither is it information in transit (e.g. sent over an secured or encrypted link, that is only interceptable at the moment of transmission). What we have here is information that must be portable (hence why it's on the USB stick), but still requires protection, both now and, crucially, into the future in the case of loss. So the encryption is insurance against the loss of that stick.
As you rightfully say, it doesn't necessarily protect you for all time against all attackers, but it can reduce your risk to an extremely low level. You must consider the cover time (the time for which the information must remain secret) when picking your key size, etc. For example, the DES encryption has never been cracked (in the sense of a practical mathematical break), but it is now crackable because its key length is only around 64 bits. When DES was first designed, they predicted the cover time it would give (following Moore's law), fairly accurately. Picking a key length that gives you sufficient insurance into the future must be a part of your selection process - especially for data encrypted on portable devices.
Of course it is always possible that a surprise mathematical attack could render your encryption useless, or a stunning technological advance might make brute force attacks feasible. These are not very likely, but are possible. But the art of using encryption like this is to mitigate the risk of moving the sensitive information, which presumably must be moved. Without encryption, you couldn't move that sensitive information - or at least, not without a lot of additional and possibly prohibitive expense (armed guards, secure physical delivery services).
Finally, while I agree that the loss of encrypted sensitive information is a risk, and must be acknowledged as such, it is not the *same* risk as actual compromise of the information itself. If you treat it this way, you cannot make realistic plans for each eventuality - you will either over-react in one circumstance, or under-react in another. If the information is *so* important that losing the encrypted data must be treated in the same way as losing the information itself, then you shouldn't be moving it around like that in the first place!