Fingerprint-Protected USB Sticks Cracked 166
juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"
Re:LOLOL pwned! (Score:4, Insightful)
Just saying...
np: Pole - Achterbahn (Shackleton Remix) (Steingarten Remixes)
Re:Misleading? (Score:4, Insightful)
Re:Fingerprint scanners suck. (Score:5, Insightful)
The Elephant in The Room (Score:3, Insightful)
As long as someone can get access to the container, they can find a way in.
Obviously we're balancing convenience with security, but when some employee takes your whole customer database off-site on his laptop your problem is not encryption, it's keeping that data in a controlled environment.
Re:The Elephant in The Room (Score:5, Insightful)
Username:
Password:
Last login date:
Last Login time:
Today's PIN:
Worked good but kept a LOT of people out as they could never remember when they last logged in I was one of few that never called the help desk as I simply scheduled my login times to be the same each day.
Today's pin was not so safe as it was written on the whiteboard in the security office.
Re:bad security (Score:3, Insightful)
Stupidity of the gullible people buying this, that is.
The guys who designed this (and, more importantly, marketed it) are certainly not stupid - they are essentially selling low-grade USB sticks at probably a 10x markup, at the cost of having a couple programmers write a Windows-only driver that makes it look like there is a security layer. I wouldn't call this stupid (although certainly ethically questionable, but that's a different matter)
If at first you don't get posted... (Score:3, Insightful)
I guess now I know what to do if the stories I submit don't make it...
Re:Fingerprint scanners suck. (Score:5, Insightful)
This is why I don't ever want a car with fingerprint locks. Pretty much the same for laptops. I am going to put a fingerprint reader on my pool gate though, as it will be easier for someone to just kick the gate open, or jump the gate than it is for them to mug me and take my fingers.
What's wrong with low level protection? (Score:3, Insightful)
Around the world there are millions of low-level padlocks etc that will stop most petty thieves but will not deter serious thieves. Most houses have pickable locks that anyone could learn to pick, but yet most locks still serve their purpose.
The only real issue is if peeople buy these devices and think they're getting Fort Knox level security and essentially use a two-dollar padlock to secure a bank.
Re:Fingerprint scanners suck. (Score:4, Insightful)
Adding a few numbers or characters should buy you a fair amount of security, for instance, "DrPepper!!!" or "DrPepper732" should be harder to guess than "DrPepper". The problem is that you can go too far. You could require, for instance, that passwords be at least 12 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric symbol, e.g. "DrPepper732!?". The problem is that you've got multiple passwords- one for work, one for Amazon.com, one for online banking, one for /., etc. etc. so it becomes virtually impossible to remember the damn things. Now what? People have to start writing them down, and posting them next to the machine. A huge part of the security of passwords comes from the fact that it's not physically written down; as soon as you have to record it instead of keeping it in your memory, your overall level of security is going down, even if the password is getting harder to crack.
Re:Fingerprint scanners suck. (Score:3, Insightful)
Re:Fingerprint scanners suck. (Score:-1, Insightful)
It is a perfectly obvious solution, but it is also apparent that you need storage inside the controller and a fast crypto engine inside the controller, which is a costly thing to design and make. So they replaced the AES crypto engine with a simple XOR scrambler which "encrypts" and "decrypts" every block with the same block length key. At that point it doesn't matter if they got the fingerprint reader, the storage and the comparison right.
You're not getting th idea behind the hack. (Score:3, Insightful)
Those sticks are flawed not because the fingerprint sensor sucks, but because the authentication is made on the computer.
If I got it right, those sticks should work like this
The fact that the stick uses biometrics is irrelevant. With a design like that, it would have been vulnerable even if it had PIN, RSA keys or black magic. You can just bypass the security mechanism by sending the unlock command.
Essentialy, it has the same flaw as the secustik we saw last year.
Re:Fingerprint scanners suck. (Score:2, Insightful)
The problem with these particular devices isn't in the fingerprint sensors but with the way the security system was setup on the USB chip. The attacks shown used in the article don't have anything to do with the fingerprint sensors. Heise did a similar review of similarly flawed "fingerprint protected" hard drives recently. I think I saw that link from Bruce Schnier's site originally.
This is not to say that fingerprint sensors are perfect. However, creating a spoof for a good fingerprint sensor requires more time and skill than creating a duplicate key for a traditional lock, for example. The sensor mentioned breathing on was probably a sensor that is a few generations old when the technology for just getting an image was not yet mature. They hadn't yet begun to deal with spoofs. You'll find the sensors included on modern laptops, for example, to be much better devices.
Fingerprint sensors are tradeoffs between security and convinience. I keep a password vault protected by a fingerprint sensor. In it, I have a different randomly generated password (using as the maximum number of characters chosen from the widest range of characters allowed by the account) for each website, computer, program that I use. If I was a more capable human being, I would simply remember those passwords for the best security available (at least via passwords). If I wasn't using the password vault, I would certainly have fewer and less complex passwords, and I would the passwords less frequently.
So, in this case. Mock the engineers that designed these storage devices. They failed to design their devices properly. What's sad is that these sensors look to be fairly modern, and someone could probably design a storage device with fairly good security around them.