Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprint-Protected USB Sticks Cracked

Posted by kdawson on from the going-around dept.

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

6 of 166 comments (clear)

  1. Re:LOLOL pwned! by Briareos · · Score: 3, Insightful

    Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^ Shouldn't you be thanking Heise instead?

    Just saying...

    np: Pole - Achterbahn (Shackleton Remix) (Steingarten Remixes)

    --

    "I'm not anti-anything, I'm anti-everything, it fits better." - Sole

  2. Re:Misleading? by esocid · · Score: 3, Insightful

    But it is misleading. It offers a technology that, to the viewer, is designed to protect the content on the memory. It does nothing of the sort. It gives the facade of a deadbolted door, with a window around back that is just left open. You say it's quicker than inputting a password? I doubt people are really in that much of a hurry that 2 seconds is such a waste of time. If anything it would serve as not needing to remember a password, or multiple passwords. But I'm still wary of anything that will require any sort of biometric information of mine for me to access.

    --
    Absolute power corrupts absolutely. indymedia
  3. Re:Fingerprint scanners suck. by l2718 · · Score: 4, Insightful

    Isn't that like using a deadbolt lock AND the little clasp on the screen door? Yes, the clasp is a "lock" just like the fingerprint scanner, but it isn't really the "secure" part of the solution.
    This is completely unlike that. This is more like replacing a physical key with a keycard. Still same lock technology, just different way to open the lock. If the data is stored on the USB stick in the clear, with the fingerprint only used through an authentication mechanism, then reading the memory directly can get the data (say by physically taking the memory chips out of the stick and putting them in another stick). You don't need to know the fingerprint. On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint. The fingerprint reader saves you the bother of memorizing the encryption key.
  4. Re:The Elephant in The Room by Lumpy · · Score: 4, Insightful

    One of my favorite Login security systems I have used was when I had to access a secure system back in the early 90's. one of the login validations was the date and time you last logged in.

    Username:
    Password:
    Last login date:
    Last Login time:
    Today's PIN:

    Worked good but kept a LOT of people out as they could never remember when they last logged in I was one of few that never called the help desk as I simply scheduled my login times to be the same each day.
    Today's pin was not so safe as it was written on the whiteboard in the security office.

    --
    Do not look at laser with remaining good eye.
  5. Re:Fingerprint scanners suck. by Belial6 · · Score: 5, Insightful

    My biggest problem with finger print locks is that they use only my finger to open them, and I don't want someone using my finger to open a lock when I'm not there. A good rule of thumb is that you should never lock anything with a finger print that is more valuable to a thief than your finger is to you, or that is harder to crack than cutting off your fingers.

    This is why I don't ever want a car with fingerprint locks. Pretty much the same for laptops. I am going to put a fingerprint reader on my pool gate though, as it will be easier for someone to just kick the gate open, or jump the gate than it is for them to mug me and take my fingers.

  6. Re:Fingerprint scanners suck. by flyingsquid · · Score: 3, Insightful
    That said, quite a few people use stupid passwords. My own for /. is itself moderately secure, but I've used it for many different websites I don't really worry about too much. That weakens it a bit.

    Adding a few numbers or characters should buy you a fair amount of security, for instance, "DrPepper!!!" or "DrPepper732" should be harder to guess than "DrPepper". The problem is that you can go too far. You could require, for instance, that passwords be at least 12 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric symbol, e.g. "DrPepper732!?". The problem is that you've got multiple passwords- one for work, one for Amazon.com, one for online banking, one for /., etc. etc. so it becomes virtually impossible to remember the damn things. Now what? People have to start writing them down, and posting them next to the machine. A huge part of the security of passwords comes from the fact that it's not physically written down; as soon as you have to record it instead of keeping it in your memory, your overall level of security is going down, even if the password is getting harder to crack.