Fingerprint-Protected USB Sticks Cracked 166
juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"
Fingerprint scanners suck. (Score:5, Interesting)
Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.
At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.
Damned With Faint Praise? (Score:5, Interesting)
You seldom get such unflinching prose in a review.
LOLOL pwned! (Score:4, Interesting)
Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^
Re:Mythbusters (Score:3, Interesting)
Not that they didn't take both of them down easily, using low tech methods.
More snake oil security (Score:5, Interesting)
Here [tweakers.net] is an article by a dutch website (the article is in english though) that does a thorough job (technical details included) of debunking a similar product.
Meanwhile, the scary thing is that government and military organizations are reported to have been actually using such products...
Re:Fingerprint scanners suck. (Score:3, Interesting)
The scanners are still foolable. They did it on mythbusters without much trouble...I think they lifted a print, photoshopped it to make it look "cleaner", printed it out, licked the paper, and ran it over the scanner.
Passwords are much more secure at this point. No one is going to steal your password off an old soda bottle.
Re:Fingerprint scanners suck. (Score:4, Interesting)
Re:Physical layer (Score:3, Interesting)
The only problem is that they do not work.
There is a big market for physical security. It needs companies that will exploit it without snake oil. I like the idea of a multi-layer encryption / pass phrase / physical lock / self-destruct / whatever combination etc. idea on USB sticks and laptops etc. and I expect that products that cater to that need will grow. Unfortunately products that fail to live up to consumer demands will also continue to grow. It's a young industry.
Biometrics is even younger, and right now I don't trust any kind of biometric security mechanism.
Re:Fingerprint scanners suck. (Score:3, Interesting)
Just check the wikipedia article, http://en.wikipedia.org/wiki/Dr._Pepper#Name_formatting [wikipedia.org], or look at one of your many cases of Dr Pepper if you don't believe me.
That said, quite a few people use stupid passwords. My own for
They're the exact same as most security measures. They make you feel secure while providing only limited Actual Security. A fingerprint scanner on my media would be sufficient to slow down any random person who tries to see what I've got on my HDD. That might be enough for me. Is anyone using a thumbprint scanner as the only security measure on stuff they really truly definitely do want kept private and secure?
Re:Hardware-based security is often vulnerable (Score:5, Interesting)
Granted It helps I made my way through college modding VideoCipher II boards back in the 80's so epoxy potting removal is incredibly easy to me.
The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.
Re:Physical layer (Score:3, Interesting)
If the encryption you are using is so poor that the loss of your USB stick means you consider the data to be compromised, why bother encrypting at all?!!!
Re:Fingerprint scanners suck. (Score:5, Interesting)
Oh no! Not fingerprint "security" (Score:5, Interesting)
Obligatory links:
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]
http://www.schneier.com/crypto-gram-9808.html#biometrics [schneier.com]
It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.
Re:Physical layer (Score:3, Interesting)
So your security is dependent on them hiding the hash to the rest of the data. Security is only as strong as its weakest point.
Another misuse of biometrics (Score:3, Interesting)
Most of the time, a username/password is a perfectly good access-control method. In some cases (either high-security environments or connections over hostile space), a second authentication method is advised. Now we have a two-factor authentication. Typical example is "log onto the firewall to allow you to log onto a machine inside the firewall." SecureID cards and the like also work as a good second-factor method.
A biometric challenge is arguably an acceptable second-factor when added to a username/password system. It is NOT a substitute for such a system.
However, biometrics are HARD to do correctly! Cheap scanners suck and are generally insecure by design. Expensive scanners suck, but are generally designed better. None are foolproof, yet.
Also, biometric authentication carries a risk. If your username and password are stolen, then you can change your password and stop the damage. If your biometric ID (retinal scan, fingerprint, etc.) are successfully 'stolen,' then you have lost your authentication ability for all time! If your fingerprint is compromised, you can NEVER USE it as an authentication method again! There ain't no resetting fingerprints!
So we have a large expense for an imperfect system with exactly one possible compromise per user per lifetime. This isn't a primary ID method. It's not a good second-factor ID method either. In EXTREME security environments, it might make sense as a third-factor authorization system, along with username/password and a (pseudo-) one-time pad (i.e. SecureID).
If you don't NEED that type of security, then DON'T USE YOUR BIOMETRIC DATA! One compromise, and it's useless. Forever. Period.
Oh yeah, but I forget the most important part: Fingerprint scanners are shiny and cool, just like in the movies. Bah.
Re:Watch a Sci-fi movie! (Score:1, Interesting)
Re:Fingerprint scanners suck. (Score:4, Interesting)
Re:Fingerprint scanners suck. (Score:2, Interesting)
Re:Fingerprint scanners suck. (Score:4, Interesting)
Re:Fingerprint scanners suck. (Score:2, Interesting)
Even scarier, in my view, was that they later skipped the last step altogether. They took the printed paper as is, moistened it, and opened the door. No need for rubber film (except if you want to look cool in the movies).
And this was the high security door lock. The laptop fingerprint reader was even easier to bypass.
This USB drive sound just like it was designed to tap into the market of unsophisticated people worried about security; dirt cheap to build and sold for high enough price that it feels professional.