Fingerprint-Protected USB Sticks Cracked

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

Fingerprint scanners suck.

I've never seen a fingerprint system that was worth a damn...I was doing consulting at a company a few years back that had the "pad style" thumb readers (rather than the little scanners that are more popular now), and I "hacked" one of them for the company director by taking a deep breath and breathing on it. Warm breath condenses on the previous fingerprint and heats up the temperature sensor, and voila.

Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.

At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.

Re:Fingerprint scanners suck.

As I've pointed out in previous post [slashdot.org], you won't be truly secure until you can completely incinerate any non-authorized individual who touches the drive. Even passwords fall short. Encryption, biometrics, etc... pfft... you're not safe unless annihilation is ensured.

Fingerprint scanners suck.

It goes without saying that there are a large number of low-end sensors disguised as excellent front-ends to biometric authentication. You need to segregate two things.

1. the sensor itself.

2. the implementation of the sensor. (e.g. sensor as a front end)

There are two legitimate sensor manufacturers in the U.S. and one very well-known French company all of whom do not sell to just anyone anywhere and at prices absolutely out of range for a TV show and the average company.

Another thing to keep in mind is even IF there was budget for a good device, (oh to dream) there are implementation issues that can make the hardware worthless. As is often the case, meaningful implementations tend to complicate practically all business/operations matters which is why no company bothers.

To generalize that all fingerprint scanners suck is just wrong.

Re:Fingerprint scanners suck.

mpapet is correct. I work on the development team of a company that manufactures Biometric USB drives. there are many many low-end drives on the market that, as this article states, are not secure at all. You can use the attack they speak of or attack the flash chip directly in most cases. There are a few quality products on the market, including our own, that do use strong security principals to make sure attacks like these are not possible. To say that these issues effect all biometric USB devices, and that they should not be used, is simply false.

Re:Fingerprint scanners suck.

Glad you were able to hack it. I had problems with fingerprint readers for exactly the opposite reason. I could never get into the data centre. Each time, I would have my print rescanned, and it would work for about 5 minutes, until the following week, possibly due to the fact that I was destroying my fingers with regular guitar playing at the time, it couldn't recognise me.

Re:Fingerprint scanners suck.

My biggest problem with finger print locks is that they use only my finger to open them, and I don't want someone using my finger to open a lock when I'm not there. A good rule of thumb is that you should never lock anything with a finger print that is more valuable to a thief than your finger is to you, or that is harder to crack than cutting off your fingers.

This is why I don't ever want a car with fingerprint locks. Pretty much the same for laptops. I am going to put a fingerprint reader on my pool gate though, as it will be easier for someone to just kick the gate open, or jump the gate than it is for them to mug me and take my fingers.

Re:Fingerprint scanners suck.

Isn't that like using a deadbolt lock AND the little clasp on the screen door? Yes, the clasp is a "lock" just like the fingerprint scanner, but it isn't really the "secure" part of the solution.

This is completely unlike that. This is more like replacing a physical key with a keycard. Still same lock technology, just different way to open the lock. If the data is stored on the USB stick in the clear, with the fingerprint only used through an authentication mechanism, then reading the memory directly can get the data (say by physically taking the memory chips out of the stick and putting them in another stick). You don't need to know the fingerprint. On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint. The fingerprint reader saves you the bother of memorizing the encryption key.

Re:Fingerprint scanners suck.

On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint.

I assume that you're talking about treating a hash of a fingerprint scan as an encryption key. But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes. Therefore, software that compares fingerprints must use some sort of fuzzy matching. What algorithm would you suggest using to turn 100 different scans of the same thumb into the same key every time?

Re:Fingerprint scanners suck.

But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes.

Then that's not the way it should be done. For one thing, while the angle of the print may change, the relative size will not.

I think you can create fingerprints based off of a formula. All you need is to supply a set of variable coefficients. The hash would be that set of coefficients for your formula.

It's been a very long time since I had studied fingerprints, and that was rather cursory.

From what I know, every print has at least one point. The alternative is that some prints have ridges going straight across, which doesn't sound right to me.

- Focus on the most prominent one or the one ranked highest in priority.
- Measure the distances between unique points and their angles relative to each other.
- A left loop will always be a left loop no matter the rotation, and has an apex.
- Same with a tented arch, except it will also have a triangular shape.
- A whorl has two epicenters of a given distance.

I never worked in the field, but the above plan seems obvious to me. I also don't have a large sample set to help refine that formula - maybe having two whorls or two similar loops or some other combo never happens.

With any authentication, the important thing is that it be easy to produce the key and make it very hard to fake it. Therefore, the biggest problem with fingerprint authentication is that the user keeps leaving their key everywhere they touch. It's like mentioning your passwords in plaintext within every conversation you have. One solution may be to use toeprints instead.

Re:Fingerprint scanners suck.

Passwords are much more secure at this point. No one is going to steal your password off an old soda bottle.

My password is "Dr. Pepper" you insensitive clod!

You haven't seen some password policies

Eh, the poor guy probably just had to put up with some password policy that says he has to have at least one non-letter character in the password.

Re:Fingerprint scanners suck.

That said, quite a few people use stupid passwords. My own for /. is itself moderately secure, but I've used it for many different websites I don't really worry about too much. That weakens it a bit.

Adding a few numbers or characters should buy you a fair amount of security, for instance, "DrPepper!!!" or "DrPepper732" should be harder to guess than "DrPepper". The problem is that you can go too far. You could require, for instance, that passwords be at least 12 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric symbol, e.g. "DrPepper732!?". The problem is that you've got multiple passwords- one for work, one for Amazon.com, one for online banking, one for /., etc. etc. so it becomes virtually impossible to remember the damn things. Now what? People have to start writing them down, and posting them next to the machine. A huge part of the security of passwords comes from the fact that it's not physically written down; as soon as you have to record it instead of keeping it in your memory, your overall level of security is going down, even if the password is getting harder to crack.

Re:Fingerprint scanners suck.

The problem is that you've got multiple passwords- one for work, one for Amazon.com, one for online banking, one for /., etc. etc. so it becomes virtually impossible to remember the damn things. Now what? People have to start writing them down, and posting them next to the machine. A huge part of the security of passwords comes from the fact that it's not physically written down; as soon as you have to record it instead of keeping it in your memory, your overall level of security is going down, even if the password is getting harder to crack.

There's an easy solution to this, just store your passwords in one of those fingerprint-protected USB sticks that I've been reading so much about.

Damned With Faint Praise?

"They do not provide any significant level of protection. We can only recommend that these products not be purchased."

You seldom get such unflinching prose in a review.

LOLOL pwned!

And my boss has been pushing to get these deployed at our company, for the sake of security. I'm sending him this article right now.

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

Re:LOLOL pwned!

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

Shouldn't you be thanking Heise instead?

Just saying...

np: Pole - Achterbahn (Shackleton Remix) (Steingarten Remixes)

Mythbusters

Didn't Mythbusters beat a bunch of fingerprint readers a couple of seasons ago? I seem to recall them using printed pictures of fingerprints with great success.

http://www.youtube.com/watch?v=oXyFmieZjiE

More snake oil security

This is not the first USB-stick sold for a high price (typically 10 times the price of a normal USB stick of the same size) that doesn't actually add any security whatsoever.

Here [tweakers.net] is an article by a dutch website (the article is in english though) that does a thorough job (technical details included) of debunking a similar product.

Meanwhile, the scary thing is that government and military organizations are reported to have been actually using such products...

Physical layer

If someone has access to the physical layer of your data then you must assume it is compromised. If someone has physical access to your memory stick you must consider it compromised.

Granted there are some encryption schemes that are tough to crack but history teaches us to never assume security when you lose physical possession of data.

Hardware-based security is often vulnerable

Corsair's Flash Padlock has the same issue [computerworld.com]. You can open the case through a single screw in the back of the drive and then access an electronic switch on the board, which can be easily tripped with a piece of wire, giving you access to the memory chip without having to punch in a security PIN. Hardware security methods just aren't as secure as software-based encryption.

Re:Hardware-based security is often vulnerable

Hardware security methods just aren't as secure as software-based encryption.

You couldn't be more wrong about biometric authentication. You probably haven't seen the Sagem or Cogent sensors implemented well. It is the very rare organization who would actually spend the money to do the job right. A revision is necessary to make your statement accurate.

Cheap and dirty hardware security methods just aren't as secure as software-based encryption.

That's better.

Re:Hardware-based security is often vulnerable

Exactly. I saw a "secure" version of that. that potted the whole device in epoxy. I returned the unit to the salesman with all the epoxy removed and a CD of the contents of the drive and said. "I would not trust that for any security."

Granted It helps I made my way through college modding VideoCipher II boards back in the 80's so epoxy potting removal is incredibly easy to me.

The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.

Oh no! Not fingerprint "security"

When will fingerprint "security" die?

Obligatory links:

http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]
http://www.schneier.com/crypto-gram-9808.html#biometrics [schneier.com]

It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.

Re:Misleading?

But it is misleading. It offers a technology that, to the viewer, is designed to protect the content on the memory. It does nothing of the sort. It gives the facade of a deadbolted door, with a window around back that is just left open. You say it's quicker than inputting a password? I doubt people are really in that much of a hurry that 2 seconds is such a waste of time. If anything it would serve as not needing to remember a password, or multiple passwords. But I'm still wary of anything that will require any sort of biometric information of mine for me to access.

Re:The Elephant in The Room

One of my favorite Login security systems I have used was when I had to access a secure system back in the early 90's. one of the login validations was the date and time you last logged in.

Username:
Password:
Last login date:
Last Login time:
Today's PIN:

Worked good but kept a LOT of people out as they could never remember when they last logged in I was one of few that never called the help desk as I simply scheduled my login times to be the same each day.
Today's pin was not so safe as it was written on the whiteboard in the security office.