Fingerprint-Protected USB Sticks Cracked

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

Re:LOLOL pwned!

[Briareos]

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

Shouldn't you be thanking Heise instead?

Just saying...

np: Pole - Achterbahn (Shackleton Remix) (Steingarten Remixes)

Re:Misleading?

[esocid]

But it is misleading. It offers a technology that, to the viewer, is designed to protect the content on the memory. It does nothing of the sort. It gives the facade of a deadbolted door, with a window around back that is just left open. You say it's quicker than inputting a password? I doubt people are really in that much of a hurry that 2 seconds is such a waste of time. If anything it would serve as not needing to remember a password, or multiple passwords. But I'm still wary of anything that will require any sort of biometric information of mine for me to access.

Re:Fingerprint scanners suck.

[l2718]

Isn't that like using a deadbolt lock AND the little clasp on the screen door? Yes, the clasp is a "lock" just like the fingerprint scanner, but it isn't really the "secure" part of the solution.

This is completely unlike that. This is more like replacing a physical key with a keycard. Still same lock technology, just different way to open the lock. If the data is stored on the USB stick in the clear, with the fingerprint only used through an authentication mechanism, then reading the memory directly can get the data (say by physically taking the memory chips out of the stick and putting them in another stick). You don't need to know the fingerprint. On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint. The fingerprint reader saves you the bother of memorizing the encryption key.

The Elephant in The Room

[rueger]

Having spent too many hours dealing with increasingly bizarre authentication schemes at various web sites, [community-media.com] and more hours reading about each new form of high tech security wizardry, I've come to conclude that an awful lot of companies are ignoring the obvious - that the only really secure way to protect data is to prevent physical access to it.

As long as someone can get access to the container, they can find a way in.

Obviously we're balancing convenience with security, but when some employee takes your whole customer database off-site on his laptop your problem is not encryption, it's keeping that data in a controlled environment.

Re:The Elephant in The Room

[Lumpy]

One of my favorite Login security systems I have used was when I had to access a secure system back in the early 90's. one of the login validations was the date and time you last logged in.

Username:
Password:
Last login date:
Last Login time:
Today's PIN:

Worked good but kept a LOT of people out as they could never remember when they last logged in I was one of few that never called the help desk as I simply scheduled my login times to be the same each day.
Today's pin was not so safe as it was written on the whiteboard in the security office.

Re:bad security

[Idaho]

Well there's your problem. Who in their right mind designed these? No encryption either. Or maybe it was their plan all along...No, I'd go with just stupidity.

Stupidity of the gullible people buying this, that is.

The guys who designed this (and, more importantly, marketed it) are certainly not stupid - they are essentially selling low-grade USB sticks at probably a 10x markup, at the cost of having a couple programmers write a Windows-only driver that makes it look like there is a security layer. I wouldn't call this stupid (although certainly ethically questionable, but that's a different matter)

If at first you don't get posted...

[damn_registrars]

Someone already submitted this article [slashdot.org] under a different headline. It was rejected. Apparently we care about it now, though I'm not sure why. Even linked to the same article, and sent in by the same person, with a different description.

I guess now I know what to do if the stories I submit don't make it...

Re:Fingerprint scanners suck.

[Belial6]

My biggest problem with finger print locks is that they use only my finger to open them, and I don't want someone using my finger to open a lock when I'm not there. A good rule of thumb is that you should never lock anything with a finger print that is more valuable to a thief than your finger is to you, or that is harder to crack than cutting off your fingers.

This is why I don't ever want a car with fingerprint locks. Pretty much the same for laptops. I am going to put a fingerprint reader on my pool gate though, as it will be easier for someone to just kick the gate open, or jump the gate than it is for them to mug me and take my fingers.

What's wrong with low level protection?

[EmbeddedJanitor]

Low-level protection is fine, so long as you know it is low level. Low level protection is dine for stopping the casual snooper.

Around the world there are millions of low-level padlocks etc that will stop most petty thieves but will not deter serious thieves. Most houses have pickable locks that anyone could learn to pick, but yet most locks still serve their purpose.

The only real issue is if peeople buy these devices and think they're getting Fort Knox level security and essentially use a two-dollar padlock to secure a bank.

Re:Fingerprint scanners suck.

[flyingsquid]

That said, quite a few people use stupid passwords. My own for /. is itself moderately secure, but I've used it for many different websites I don't really worry about too much. That weakens it a bit.

Adding a few numbers or characters should buy you a fair amount of security, for instance, "DrPepper!!!" or "DrPepper732" should be harder to guess than "DrPepper". The problem is that you can go too far. You could require, for instance, that passwords be at least 12 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric symbol, e.g. "DrPepper732!?". The problem is that you've got multiple passwords- one for work, one for Amazon.com, one for online banking, one for /., etc. etc. so it becomes virtually impossible to remember the damn things. Now what? People have to start writing them down, and posting them next to the machine. A huge part of the security of passwords comes from the fact that it's not physically written down; as soon as you have to record it instead of keeping it in your memory, your overall level of security is going down, even if the password is getting harder to crack.

Re:Fingerprint scanners suck.

[Jarjarthejedi]

Exactly. Password security is not simply dependent on how many and what type of characters are used, but also on what the person using the password does with it. Even the most secure password could be easily determined if the user tried to use it to register on a non-legitimate site. It really depends on the user, as well as the password. A semi-weak password used by a security conscious person is far better at protecting something than an extremely strong password used by someone who doesn't know, or care, about security.

Re:Fingerprint scanners suck.

[Anonymous Coward]

The way these things should work is: Scan the print, extract the recognizable information and store that information in the controller, where it can not be read from the outside. The part of the controller which stores the print data then compares new scans to the data of the authorized prints and only returns the ID number for the matching print, but no print data, (just like a proper smart card generates private/public key pairs on the chip and only ever makes the public key available, while the private key is only used internally for encryption/decryption.) Then the memory controller uses AES and the (internally generated) key with that ID number to encrypt/decrypt the data which is written to or read from the memory chip.

It is a perfectly obvious solution, but it is also apparent that you need storage inside the controller and a fast crypto engine inside the controller, which is a costly thing to design and make. So they replaced the AES crypto engine with a simple XOR scrambler which "encrypts" and "decrypts" every block with the same block length key. At that point it doesn't matter if they got the fingerprint reader, the storage and the comparison right.

You're not getting th idea behind the hack.

[Ernesto Alvarez]

I've been seeing lots of posts critisizing fingerprint authentication and how it is easily cracked, etc. You should (re)read TFA, because you're not getting the idea.

Those sticks are flawed not because the fingerprint sensor sucks, but because the authentication is made on the computer.

If I got it right, those sticks should work like this

1. You plug the stick
2. You put your finger on the sensor
3. The sensor reads your print and sends its data to the computer
4. The windows driver takes the data and decides whether it should give you access or not
5. If the print matches, IT SENDS WHAT IN ESSENCE IS AN UNLOCK COMMAND TO THE STICK
6. You access the private partition

The fact that the stick uses biometrics is irrelevant. With a design like that, it would have been vulnerable even if it had PIN, RSA keys or black magic. You can just bypass the security mechanism by sending the unlock command.

Essentialy, it has the same flaw as the secustik we saw last year.

Re:Fingerprint scanners suck.

[ngc3242]

Disclaimer: I work for a major fingerprint sensor manufacturer.

The problem with these particular devices isn't in the fingerprint sensors but with the way the security system was setup on the USB chip. The attacks shown used in the article don't have anything to do with the fingerprint sensors. Heise did a similar review of similarly flawed "fingerprint protected" hard drives recently. I think I saw that link from Bruce Schnier's site originally.

This is not to say that fingerprint sensors are perfect. However, creating a spoof for a good fingerprint sensor requires more time and skill than creating a duplicate key for a traditional lock, for example. The sensor mentioned breathing on was probably a sensor that is a few generations old when the technology for just getting an image was not yet mature. They hadn't yet begun to deal with spoofs. You'll find the sensors included on modern laptops, for example, to be much better devices.

Fingerprint sensors are tradeoffs between security and convinience. I keep a password vault protected by a fingerprint sensor. In it, I have a different randomly generated password (using as the maximum number of characters chosen from the widest range of characters allowed by the account) for each website, computer, program that I use. If I was a more capable human being, I would simply remember those passwords for the best security available (at least via passwords). If I wasn't using the password vault, I would certainly have fewer and less complex passwords, and I would the passwords less frequently.

So, in this case. Mock the engineers that designed these storage devices. They failed to design their devices properly. What's sad is that these sensors look to be fairly modern, and someone could probably design a storage device with fairly good security around them.