Fingerprint-Protected USB Sticks Cracked

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

Fingerprint scanners suck.

[SatanicPuppy]

I've never seen a fingerprint system that was worth a damn...I was doing consulting at a company a few years back that had the "pad style" thumb readers (rather than the little scanners that are more popular now), and I "hacked" one of them for the company director by taking a deep breath and breathing on it. Warm breath condenses on the previous fingerprint and heats up the temperature sensor, and voila.

Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.

At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.

Damned With Faint Praise?

[Jeremiah Cornelius]

"They do not provide any significant level of protection. We can only recommend that these products not be purchased."

You seldom get such unflinching prose in a review.

LOLOL pwned!

[TripMaster Monkey]

And my boss has been pushing to get these deployed at our company, for the sake of security. I'm sending him this article right now.

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

Re:Mythbusters

[SatanicPuppy]

Yep. The thing that I thought was most interesting was that the laptop scanner was harder to fool than the big sexy security door scanner.

Not that they didn't take both of them down easily, using low tech methods.

More snake oil security

[Idaho]

This is not the first USB-stick sold for a high price (typically 10 times the price of a normal USB stick of the same size) that doesn't actually add any security whatsoever.

Here [tweakers.net] is an article by a dutch website (the article is in english though) that does a thorough job (technical details included) of debunking a similar product.

Meanwhile, the scary thing is that government and military organizations are reported to have been actually using such products...

Re:Fingerprint scanners suck.

[SatanicPuppy]

Depends on whether you left a print on the hard drive when you installed it. =P

The scanners are still foolable. They did it on mythbusters without much trouble...I think they lifted a print, photoshopped it to make it look "cleaner", printed it out, licked the paper, and ran it over the scanner.

Passwords are much more secure at this point. No one is going to steal your password off an old soda bottle.

Re:Fingerprint scanners suck.

[tepples]

On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint.

I assume that you're talking about treating a hash of a fingerprint scan as an encryption key. But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes. Therefore, software that compares fingerprints must use some sort of fuzzy matching. What algorithm would you suggest using to turn 100 different scans of the same thumb into the same key every time?

Re:Physical layer

[garett_spencley]

I agree 100%. However, the whole point of these devices is to protect your data in case it is lost / stolen.

The only problem is that they do not work.

There is a big market for physical security. It needs companies that will exploit it without snake oil. I like the idea of a multi-layer encryption / pass phrase / physical lock / self-destruct / whatever combination etc. idea on USB sticks and laptops etc. and I expect that products that cater to that need will grow. Unfortunately products that fail to live up to consumer demands will also continue to grow. It's a young industry.

Biometrics is even younger, and right now I don't trust any kind of biometric security mechanism.

Re:Fingerprint scanners suck.

[Kandenshi]

If you really were a Dr Pepper fan, you'd know that there is no period/fullstop in the name. :P

Just check the wikipedia article, http://en.wikipedia.org/wiki/Dr._Pepper#Name_formatting [wikipedia.org], or look at one of your many cases of Dr Pepper if you don't believe me.

That said, quite a few people use stupid passwords. My own for /. is itself moderately secure, but I've used it for many different websites I don't really worry about too much. That weakens it a bit. Someone, somewhere, probably DOES have DrPepper as a password. There are worse things I suppose, but I'm hardly shocked to hear that fingerprint scanners have yet more flaws in them.

They're the exact same as most security measures. They make you feel secure while providing only limited Actual Security. A fingerprint scanner on my media would be sufficient to slow down any random person who tries to see what I've got on my HDD. That might be enough for me. Is anyone using a thumbprint scanner as the only security measure on stuff they really truly definitely do want kept private and secure? :\ Seems improbable.

Re:Hardware-based security is often vulnerable

[Lumpy]

Exactly. I saw a "secure" version of that. that potted the whole device in epoxy. I returned the unit to the salesman with all the epoxy removed and a CD of the contents of the drive and said. "I would not trust that for any security."

Granted It helps I made my way through college modding VideoCipher II boards back in the 80's so epoxy potting removal is incredibly easy to me.

The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.

Re:Physical layer

[mattpalmer1086]

No, sorry, that's just wrong. If the data is properly encrypted with a decent cipher using a key with sufficient entropy, you should assume it has not been compromised.

If the encryption you are using is so poor that the loss of your USB stick means you consider the data to be compromised, why bother encrypting at all?!!!

Re:Fingerprint scanners suck.

[sqldr]

Glad you were able to hack it. I had problems with fingerprint readers for exactly the opposite reason. I could never get into the data centre. Each time, I would have my print rescanned, and it would work for about 5 minutes, until the following week, possibly due to the fact that I was destroying my fingers with regular guitar playing at the time, it couldn't recognise me.

Oh no! Not fingerprint "security"

[pesc]

When will fingerprint "security" die?

Obligatory links:

http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]
http://www.schneier.com/crypto-gram-9808.html#biometrics [schneier.com]

It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.

Re:Physical layer

[Tony Hoyle]

Your print never reads the same twice (fingerprints are a poor biometric for this reason - you can only really guess within a certain probability that it's the right one), so to do what you're suggesting you'd have to store the hash on the device.

So your security is dependent on them hiding the hash to the rest of the data. Security is only as strong as its weakest point.

Another misuse of biometrics

[swordgeek]

Biometrics has its place. This isn't it.

Most of the time, a username/password is a perfectly good access-control method. In some cases (either high-security environments or connections over hostile space), a second authentication method is advised. Now we have a two-factor authentication. Typical example is "log onto the firewall to allow you to log onto a machine inside the firewall." SecureID cards and the like also work as a good second-factor method.

A biometric challenge is arguably an acceptable second-factor when added to a username/password system. It is NOT a substitute for such a system.

However, biometrics are HARD to do correctly! Cheap scanners suck and are generally insecure by design. Expensive scanners suck, but are generally designed better. None are foolproof, yet.

Also, biometric authentication carries a risk. If your username and password are stolen, then you can change your password and stop the damage. If your biometric ID (retinal scan, fingerprint, etc.) are successfully 'stolen,' then you have lost your authentication ability for all time! If your fingerprint is compromised, you can NEVER USE it as an authentication method again! There ain't no resetting fingerprints!

So we have a large expense for an imperfect system with exactly one possible compromise per user per lifetime. This isn't a primary ID method. It's not a good second-factor ID method either. In EXTREME security environments, it might make sense as a third-factor authorization system, along with username/password and a (pseudo-) one-time pad (i.e. SecureID).

If you don't NEED that type of security, then DON'T USE YOUR BIOMETRIC DATA! One compromise, and it's useless. Forever. Period.

Oh yeah, but I forget the most important part: Fingerprint scanners are shiny and cool, just like in the movies. Bah.

Re:Watch a Sci-fi movie!

[Anonymous Coward]

Bulletproof revolving doors just big enough for one person that need a body scan to turn!

Re:Fingerprint scanners suck.

[dbrez8]

mpapet is correct. I work on the development team of a company that manufactures Biometric USB drives. there are many many low-end drives on the market that, as this article states, are not secure at all. You can use the attack they speak of or attack the flash chip directly in most cases. There are a few quality products on the market, including our own, that do use strong security principals to make sure attacks like these are not possible. To say that these issues effect all biometric USB devices, and that they should not be used, is simply false.

Re:Fingerprint scanners suck.

[Loconut1389]

The way I understood it's supposed to happen is to track the whorls and whatnot as points. It's supposed to be more than a simple image comparison. I thought good biometrics software mapped out a set of relevant points and kept those as a hash to store on your smart-card or whatever so that you can't recreate the print.

Re:Fingerprint scanners suck.

[AncientPC]

Malaysia car thieves steal finger [bbc.co.uk]

Re:Fingerprint scanners suck.

[Darinbob]

The scary thing about the Mythbuster's attempt at this, is that it was so easy. The grabbed a fingerprint from a glass, scanned it into a computer, touched it up a bit graphically, then printed it out on paper. They used that paper to create a rubber film with ridges, a little moisture was applied (the door measures skin conductivity as an added "security" measure), and voila.

Even scarier, in my view, was that they later skipped the last step altogether. They took the printed paper as is, moistened it, and opened the door. No need for rubber film (except if you want to look cool in the movies).

And this was the high security door lock. The laptop fingerprint reader was even easier to bypass.

This USB drive sound just like it was designed to tap into the market of unsophisticated people worried about security; dirt cheap to build and sold for high enough price that it feels professional.