Fingerprint-Protected USB Sticks Cracked

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

Mythbusters

[TheMeuge]

Didn't Mythbusters beat a bunch of fingerprint readers a couple of seasons ago? I seem to recall them using printed pictures of fingerprints with great success.

http://www.youtube.com/watch?v=oXyFmieZjiE

bad security

[esocid]

...the controller on the stick does not decide whether to provide access to the partition; the software running on Windows does.

Well there's your problem. Who in their right mind designed these? No encryption either. Or maybe it was their plan all along...No, I'd go with just stupidity.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Damned With Faint Praise?

[Anonymous Coward]

Yep, that's definitely unique with Heise. They are the unchallenged market leader for German computer magazines, both for professionals and customers. I've seen so many slashdot stories that came up about a week after heise.de published them.

A few weeks ago, they said the same thing for "encrypted" USB hard drives (with state-of-the-art "XOR" encryption).

Re:Mythbusters

[haruchai]

Video has been yanked due to copyright infringement claim from Discovery Channel

Hardware-based security is often vulnerable

[Lucas123]

Corsair's Flash Padlock has the same issue [computerworld.com]. You can open the case through a single screw in the back of the drive and then access an electronic switch on the board, which can be easily tripped with a piece of wire, giving you access to the memory chip without having to punch in a security PIN. Hardware security methods just aren't as secure as software-based encryption.

Re:Mythbusters

[Ihmhi]

I was just about to post this... here is the video of it: http://www.youtube.com/watch?v=LA4Xx5Noxyo>

I am honestly not surprised. Biometrics has a long way to go. Now when are we going to see retinal scanner thumb drives? *eyeroll*

Re:Hardware-based security is often vulnerable

[mpapet]

Hardware security methods just aren't as secure as software-based encryption.

You couldn't be more wrong about biometric authentication. You probably haven't seen the Sagem or Cogent sensors implemented well. It is the very rare organization who would actually spend the money to do the job right. A revision is necessary to make your statement accurate.

Cheap and dirty hardware security methods just aren't as secure as software-based encryption.

That's better.

Fingerprint scanners suck.

[mpapet]

It goes without saying that there are a large number of low-end sensors disguised as excellent front-ends to biometric authentication. You need to segregate two things.

1. the sensor itself.

2. the implementation of the sensor. (e.g. sensor as a front end)

There are two legitimate sensor manufacturers in the U.S. and one very well-known French company all of whom do not sell to just anyone anywhere and at prices absolutely out of range for a TV show and the average company.

Another thing to keep in mind is even IF there was budget for a good device, (oh to dream) there are implementation issues that can make the hardware worthless. As is often the case, meaningful implementations tend to complicate practically all business/operations matters which is why no company bothers.

To generalize that all fingerprint scanners suck is just wrong.

Re:Watch a Sci-fi movie!

[aproposofwhat]

That's what distress keycodes were invented for - some fingerprint implementations even allow you to choose a 'distress finger' for use in that situation - it will still open the door, but will also flag an alert to security staff.

Re:Fingerprint scanners suck.

[Hawkeye05]

The Fingerprint readers on Thinkpads' Require electrical signals and also a pulse, so they arent that easy to circumvent, i wouldnt trust it with my life, since i dont encrypt my drive, but its good enough.

Re:Fingerprint scanners suck.

[u8i9o0]

But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes.

Then that's not the way it should be done. For one thing, while the angle of the print may change, the relative size will not.

I think you can create fingerprints based off of a formula. All you need is to supply a set of variable coefficients. The hash would be that set of coefficients for your formula.

It's been a very long time since I had studied fingerprints, and that was rather cursory.

From what I know, every print has at least one point. The alternative is that some prints have ridges going straight across, which doesn't sound right to me.

- Focus on the most prominent one or the one ranked highest in priority.
- Measure the distances between unique points and their angles relative to each other.
- A left loop will always be a left loop no matter the rotation, and has an apex.
- Same with a tented arch, except it will also have a triangular shape.
- A whorl has two epicenters of a given distance.

I never worked in the field, but the above plan seems obvious to me. I also don't have a large sample set to help refine that formula - maybe having two whorls or two similar loops or some other combo never happens.

With any authentication, the important thing is that it be easy to produce the key and make it very hard to fake it. Therefore, the biggest problem with fingerprint authentication is that the user keeps leaving their key everywhere they touch. It's like mentioning your passwords in plaintext within every conversation you have. One solution may be to use toeprints instead.

Re:Hardware-based security is often vulnerable

[smellsofbikes]

>so epoxy potting removal is incredibly easy to me.

Out of curiosity, how do you do it? I've used a combination of soaking in acetone and physically chipping/milling the stuff away, but I'd love to know better techniques.

>The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.

Read about the Maxim DS3600 [maxim-ic.com] family of chips some time. Keys stored encrypted on-chip, chip's a microSMD so you can't get to the pins, has massive on-chip detection facilities for eg. case tampering, power glitches, and temperature changes, all of which trigger it to wipe all its stored keys and optionally wipe other things to which it's attached, and uses weird repeated XOR writes of the encrypted keys so they don't build up oxide charges that'd allow you to read the memory once you've torn it apart.
That chip's going to be hard to fool.

Re:Fingerprint scanners suck.

[Khyber]

Excuse me? The readers do not require a pulse. They do require some sort of moisture to activate the sensor, but a pulse is just bullshit. I'm responsible for replacing the damned things for a large laptop repair company and I also own a thinkpad with biometrics, so I can easily say that requiring a pulse is BS. Obtaining a pulse from the fingertip is near-impossible. You have to get to the second joint of the finger where the skin is thinner.