Slashdot Mirror
Fingerprint-Protected USB Sticks Cracked
juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"
I've never seen a fingerprint system that was worth a damn...I was doing consulting at a company a few years back that had the "pad style" thumb readers (rather than the little scanners that are more popular now), and I "hacked" one of them for the company director by taking a deep breath and breathing on it. Warm breath condenses on the previous fingerprint and heats up the temperature sensor, and voila.
Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.
At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
"They do not provide any significant level of protection. We can only recommend that these products not be purchased."
You seldom get such unflinching prose in a review.
"Flyin' in just a sweet place,
Never been known to fail..."
And my boss has been pushing to get these deployed at our company, for the sake of security. I'm sending him this article right now.
Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^
____
~ |rip/\/\aster /\/\onkey
Yep. The thing that I thought was most interesting was that the laptop scanner was harder to fool than the big sexy security door scanner.
Not that they didn't take both of them down easily, using low tech methods.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
This is not the first USB-stick sold for a high price (typically 10 times the price of a normal USB stick of the same size) that doesn't actually add any security whatsoever.
Here is an article by a dutch website (the article is in english though) that does a thorough job (technical details included) of debunking a similar product.
Meanwhile, the scary thing is that government and military organizations are reported to have been actually using such products...
Every expression is true, for a given value of 'true'
I agree 100%. However, the whole point of these devices is to protect your data in case it is lost / stolen.
The only problem is that they do not work.
There is a big market for physical security. It needs companies that will exploit it without snake oil. I like the idea of a multi-layer encryption / pass phrase / physical lock / self-destruct / whatever combination etc. idea on USB sticks and laptops etc. and I expect that products that cater to that need will grow. Unfortunately products that fail to live up to consumer demands will also continue to grow. It's a young industry.
Biometrics is even younger, and right now I don't trust any kind of biometric security mechanism.
Exactly. I saw a "secure" version of that. that potted the whole device in epoxy. I returned the unit to the salesman with all the epoxy removed and a CD of the contents of the drive and said. "I would not trust that for any security."
Granted It helps I made my way through college modding VideoCipher II boards back in the 80's so epoxy potting removal is incredibly easy to me.
The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.
Do not look at laser with remaining good eye.
No, sorry, that's just wrong. If the data is properly encrypted with a decent cipher using a key with sufficient entropy, you should assume it has not been compromised.
If the encryption you are using is so poor that the loss of your USB stick means you consider the data to be compromised, why bother encrypting at all?!!!
When will fingerprint "security" die?
Obligatory links:
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
http://www.schneier.com/crypto-gram-9808.html#biometrics
It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.
)9TSS
Your print never reads the same twice (fingerprints are a poor biometric for this reason - you can only really guess within a certain probability that it's the right one), so to do what you're suggesting you'd have to store the hash on the device.
So your security is dependent on them hiding the hash to the rest of the data. Security is only as strong as its weakest point.
Biometrics has its place. This isn't it.
Most of the time, a username/password is a perfectly good access-control method. In some cases (either high-security environments or connections over hostile space), a second authentication method is advised. Now we have a two-factor authentication. Typical example is "log onto the firewall to allow you to log onto a machine inside the firewall." SecureID cards and the like also work as a good second-factor method.
A biometric challenge is arguably an acceptable second-factor when added to a username/password system. It is NOT a substitute for such a system.
However, biometrics are HARD to do correctly! Cheap scanners suck and are generally insecure by design. Expensive scanners suck, but are generally designed better. None are foolproof, yet.
Also, biometric authentication carries a risk. If your username and password are stolen, then you can change your password and stop the damage. If your biometric ID (retinal scan, fingerprint, etc.) are successfully 'stolen,' then you have lost your authentication ability for all time! If your fingerprint is compromised, you can NEVER USE it as an authentication method again! There ain't no resetting fingerprints!
So we have a large expense for an imperfect system with exactly one possible compromise per user per lifetime. This isn't a primary ID method. It's not a good second-factor ID method either. In EXTREME security environments, it might make sense as a third-factor authorization system, along with username/password and a (pseudo-) one-time pad (i.e. SecureID).
If you don't NEED that type of security, then DON'T USE YOUR BIOMETRIC DATA! One compromise, and it's useless. Forever. Period.
Oh yeah, but I forget the most important part: Fingerprint scanners are shiny and cool, just like in the movies. Bah.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Bulletproof revolving doors just big enough for one person that need a body scan to turn!