Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprint-Protected USB Sticks Cracked

Posted by kdawson on from the going-around dept.

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

5 of 166 comments (clear)

  1. Fingerprint scanners suck. by SatanicPuppy · · Score: 5, Interesting

    I've never seen a fingerprint system that was worth a damn...I was doing consulting at a company a few years back that had the "pad style" thumb readers (rather than the little scanners that are more popular now), and I "hacked" one of them for the company director by taking a deep breath and breathing on it. Warm breath condenses on the previous fingerprint and heats up the temperature sensor, and voila.

    Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.

    At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.

    --
    ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
    1. Re:Fingerprint scanners suck. by Belial6 · · Score: 5, Insightful

      My biggest problem with finger print locks is that they use only my finger to open them, and I don't want someone using my finger to open a lock when I'm not there. A good rule of thumb is that you should never lock anything with a finger print that is more valuable to a thief than your finger is to you, or that is harder to crack than cutting off your fingers.

      This is why I don't ever want a car with fingerprint locks. Pretty much the same for laptops. I am going to put a fingerprint reader on my pool gate though, as it will be easier for someone to just kick the gate open, or jump the gate than it is for them to mug me and take my fingers.

    2. Re:Fingerprint scanners suck. by u8i9o0 · · Score: 5, Informative

      But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes.

      Then that's not the way it should be done. For one thing, while the angle of the print may change, the relative size will not.

      I think you can create fingerprints based off of a formula. All you need is to supply a set of variable coefficients. The hash would be that set of coefficients for your formula.

      It's been a very long time since I had studied fingerprints, and that was rather cursory.

      From what I know, every print has at least one point. The alternative is that some prints have ridges going straight across, which doesn't sound right to me.

      - Focus on the most prominent one or the one ranked highest in priority.
      - Measure the distances between unique points and their angles relative to each other.
      - A left loop will always be a left loop no matter the rotation, and has an apex.
      - Same with a tented arch, except it will also have a triangular shape.
      - A whorl has two epicenters of a given distance.

      I never worked in the field, but the above plan seems obvious to me. I also don't have a large sample set to help refine that formula - maybe having two whorls or two similar loops or some other combo never happens.

      With any authentication, the important thing is that it be easy to produce the key and make it very hard to fake it. Therefore, the biggest problem with fingerprint authentication is that the user keeps leaving their key everywhere they touch. It's like mentioning your passwords in plaintext within every conversation you have. One solution may be to use toeprints instead.
      --
      This is not my sig
  2. Damned With Faint Praise? by Jeremiah+Cornelius · · Score: 5, Interesting

    "They do not provide any significant level of protection. We can only recommend that these products not be purchased."

    You seldom get such unflinching prose in a review.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  3. Oh no! Not fingerprint "security" by pesc · · Score: 5, Interesting

    When will fingerprint "security" die?

    Obligatory links:

    http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
    http://www.schneier.com/crypto-gram-9808.html#biometrics

    It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.

    --

    )9TSS