Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprint-Protected USB Sticks Cracked

Posted by kdawson on from the going-around dept.

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

3 of 166 comments (clear)

  1. Re:Fingerprint scanners suck. by l2718 · · Score: 4, Insightful

    Isn't that like using a deadbolt lock AND the little clasp on the screen door? Yes, the clasp is a "lock" just like the fingerprint scanner, but it isn't really the "secure" part of the solution.
    This is completely unlike that. This is more like replacing a physical key with a keycard. Still same lock technology, just different way to open the lock. If the data is stored on the USB stick in the clear, with the fingerprint only used through an authentication mechanism, then reading the memory directly can get the data (say by physically taking the memory chips out of the stick and putting them in another stick). You don't need to know the fingerprint. On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint. The fingerprint reader saves you the bother of memorizing the encryption key.
  2. Re:The Elephant in The Room by Lumpy · · Score: 4, Insightful

    One of my favorite Login security systems I have used was when I had to access a secure system back in the early 90's. one of the login validations was the date and time you last logged in.

    Username:
    Password:
    Last login date:
    Last Login time:
    Today's PIN:

    Worked good but kept a LOT of people out as they could never remember when they last logged in I was one of few that never called the help desk as I simply scheduled my login times to be the same each day.
    Today's pin was not so safe as it was written on the whiteboard in the security office.

    --
    Do not look at laser with remaining good eye.
  3. Re:Fingerprint scanners suck. by Belial6 · · Score: 5, Insightful

    My biggest problem with finger print locks is that they use only my finger to open them, and I don't want someone using my finger to open a lock when I'm not there. A good rule of thumb is that you should never lock anything with a finger print that is more valuable to a thief than your finger is to you, or that is harder to crack than cutting off your fingers.

    This is why I don't ever want a car with fingerprint locks. Pretty much the same for laptops. I am going to put a fingerprint reader on my pool gate though, as it will be easier for someone to just kick the gate open, or jump the gate than it is for them to mug me and take my fingers.