Fingerprint-Protected USB Sticks Cracked

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

Fingerprint scanners suck.

[SatanicPuppy]

I've never seen a fingerprint system that was worth a damn...I was doing consulting at a company a few years back that had the "pad style" thumb readers (rather than the little scanners that are more popular now), and I "hacked" one of them for the company director by taking a deep breath and breathing on it. Warm breath condenses on the previous fingerprint and heats up the temperature sensor, and voila.

Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.

At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.

Re:Fingerprint scanners suck.

[tepples]

On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint. I assume that you're talking about treating a hash of a fingerprint scan as an encryption key. But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes. Therefore, software that compares fingerprints must use some sort of fuzzy matching. What algorithm would you suggest using to turn 100 different scans of the same thumb into the same key every time?

Re:Fingerprint scanners suck.

[sqldr]

Glad you were able to hack it. I had problems with fingerprint readers for exactly the opposite reason. I could never get into the data centre. Each time, I would have my print rescanned, and it would work for about 5 minutes, until the following week, possibly due to the fact that I was destroying my fingers with regular guitar playing at the time, it couldn't recognise me.

Re:Fingerprint scanners suck.

[dbrez8]

mpapet is correct. I work on the development team of a company that manufactures Biometric USB drives. there are many many low-end drives on the market that, as this article states, are not secure at all. You can use the attack they speak of or attack the flash chip directly in most cases. There are a few quality products on the market, including our own, that do use strong security principals to make sure attacks like these are not possible. To say that these issues effect all biometric USB devices, and that they should not be used, is simply false.

Re:Fingerprint scanners suck.

[AncientPC]

Malaysia car thieves steal finger

Damned With Faint Praise?

[Jeremiah+Cornelius]

"They do not provide any significant level of protection. We can only recommend that these products not be purchased."

You seldom get such unflinching prose in a review.

LOLOL pwned!

[TripMaster+Monkey]

And my boss has been pushing to get these deployed at our company, for the sake of security. I'm sending him this article right now.

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

More snake oil security

[Idaho]

This is not the first USB-stick sold for a high price (typically 10 times the price of a normal USB stick of the same size) that doesn't actually add any security whatsoever.

Here is an article by a dutch website (the article is in english though) that does a thorough job (technical details included) of debunking a similar product.

Meanwhile, the scary thing is that government and military organizations are reported to have been actually using such products...

Re:Hardware-based security is often vulnerable

[Lumpy]

Exactly. I saw a "secure" version of that. that potted the whole device in epoxy. I returned the unit to the salesman with all the epoxy removed and a CD of the contents of the drive and said. "I would not trust that for any security."

Granted It helps I made my way through college modding VideoCipher II boards back in the 80's so epoxy potting removal is incredibly easy to me.

The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.

Oh no! Not fingerprint "security"

[pesc]

When will fingerprint "security" die?

Obligatory links:

http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
http://www.schneier.com/crypto-gram-9808.html#biometrics

It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.