Fingerprint-Protected USB Sticks Cracked

juct writes "Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. In their tests, heise Security found that it is easy to bypass the authentication and get access to the protected data. This works by sending a single USB command, using the open source tool PLscsi, that changes the accessible partition. They found the vulnerability in several USB sticks that use the same chipset. The article concludes: 'The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased.'"

Fingerprint scanners suck.

[SatanicPuppy]

I've never seen a fingerprint system that was worth a damn...I was doing consulting at a company a few years back that had the "pad style" thumb readers (rather than the little scanners that are more popular now), and I "hacked" one of them for the company director by taking a deep breath and breathing on it. Warm breath condenses on the previous fingerprint and heats up the temperature sensor, and voila.

Now I had garlic pizza for lunch, so there is more than one reason that would have worked, but the fact that it did work was more than enough to convince me of the worthlessness of the tech. They had a Mythbusters episode a while back where they were fooling fingerprint readers with xeroxes and rubber casts; again, a huge glaring flaw.

At this point, security is still about passwords. I haven't seen any consumer grade biometric I'd trust with my MySpace profile (if I ever make one), more less anything sensitive.

Re:

[Brian Gordon]

That's exactly why those slider scanners are so popular nowadays. I also am dubious about the technology because I don't understand it as well as such a simple and effective scheme as a password, but if you lock down your data with volume encryption and encrypt it with your fingerprint data on a TPM then I can't think of any way your data could be recovered from a stolen hard drive.

Re:

[Pharmboy]

but if you lock down your data with volume encryption and encrypt it with your fingerprint data

Isn't that like using a deadbolt lock AND the little clasp on the screen door? Yes, the clasp is a "lock" just like the fingerprint scanner, but it isn't really the "secure" part of the solution.

Re:Fingerprint scanners suck.

[l2718]

Isn't that like using a deadbolt lock AND the little clasp on the screen door? Yes, the clasp is a "lock" just like the fingerprint scanner, but it isn't really the "secure" part of the solution.

This is completely unlike that. This is more like replacing a physical key with a keycard. Still same lock technology, just different way to open the lock. If the data is stored on the USB stick in the clear, with the fingerprint only used through an authentication mechanism, then reading the memory directly can get the data (say by physically taking the memory chips out of the stick and putting them in another stick). You don't need to know the fingerprint. On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint. The fingerprint reader saves you the bother of memorizing the encryption key.

Re:Fingerprint scanners suck.

[tepples]

On the other hand, if you use the fingerprint as an encryption key for the data, it does help. It means that an attacker has to know the fingerprint.

I assume that you're talking about treating a hash of a fingerprint scan as an encryption key. But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes. Therefore, software that compares fingerprints must use some sort of fuzzy matching. What algorithm would you suggest using to turn 100 different scans of the same thumb into the same key every time?

Re:

[l2718]

Here's one idea: store the low-order bits of the fingerprint on the card, in plain text, and get the high-order bits from the scanner. More technically, use error-correction ideas: store some information on the card such that, given a fuzzy fingerprint allows you to correct errors in it, but that by itself doesn't give the fingerprint. Your question should be phrased as follows: "how many bits on information can be reliably recovered from a fingerprint?". I'm sure the answer is positive; but I agree it's

Re:

[njh]

"how many bits of information can be reliably recovered from a fingerprint?". I'm sure the answer is positive;

I'm certain it's not negative :)

Re:

[Loconut1389]

The way I understood it's supposed to happen is to track the whorls and whatnot as points. It's supposed to be more than a simple image comparison. I thought good biometrics software mapped out a set of relevant points and kept those as a hash to store on your smart-card or whatever so that you can't recreate the print.

Re:Fingerprint scanners suck.

[u8i9o0]

But no two scans of one fingerprint are identical pixel for pixel. If you scan one thumb ten times, you get ten different hashes.

Then that's not the way it should be done. For one thing, while the angle of the print may change, the relative size will not.

I think you can create fingerprints based off of a formula. All you need is to supply a set of variable coefficients. The hash would be that set of coefficients for your formula.

It's been a very long time since I had studied fingerprints, and that was rather cursory.

From what I know, every print has at least one point. The alternative is that some prints have ridges going straight across, which doesn't sound right to me.

- Focus on the most prominent one or the one ranked highest in priority.
- Measure the distances between unique points and their angles relative to each other.
- A left loop will always be a left loop no matter the rotation, and has an apex.
- Same with a tented arch, except it will also have a triangular shape.
- A whorl has two epicenters of a given distance.

I never worked in the field, but the above plan seems obvious to me. I also don't have a large sample set to help refine that formula - maybe having two whorls or two similar loops or some other combo never happens.

With any authentication, the important thing is that it be easy to produce the key and make it very hard to fake it. Therefore, the biggest problem with fingerprint authentication is that the user keeps leaving their key everywhere they touch. It's like mentioning your passwords in plaintext within every conversation you have. One solution may be to use toeprints instead.

Re:

[a whoabot]

I've received a number of troll mods lately for posts that were just, you know, like this post or any simple post I would make. There seems to be a group of mods who are going around just messing with stuff.

Re:

[jimicus]

What algorithm would you suggest using to turn 100 different scans of the same thumb into the same key every time?

My C is a little rusty, so I apologise for any syntax errors.

char *fingerprint_hash(char *fingerprint_scan)
{
// Guarantee that any two scans of the same finger always result in the same hash.
// The argument is a block of memory containing the scanned fingerprint image.
// Returns a pointer to the hash, or NULL if the function fails.
return (char *)calloc(sizeof(char), 1);
}

Re:

[SanityInAnarchy]

Or you could store the fingerprint on the key, but actually have the key refuse to spill its guts without the finger. I think that's what this key was claiming to do.

Encryption would be nice, too, but if it's going to be entirely based on biometrics, it's not going to be secure to hardware hacks. It should at least be possible to stop this fully automatic, software-based attack that it suffers from right now, though.

Re:

[SatanicPuppy]

Depends on whether you left a print on the hard drive when you installed it. =P

The scanners are still foolable. They did it on mythbusters without much trouble...I think they lifted a print, photoshopped it to make it look "cleaner", printed it out, licked the paper, and ran it over the scanner.

Passwords are much more secure at this point. No one is going to steal your password off an old soda bottle.

Re:Fingerprint scanners suck.

[MyLongNickName]

Passwords are much more secure at this point. No one is going to steal your password off an old soda bottle.

My password is "Dr. Pepper" you insensitive clod!

Re:

[Kandenshi]

If you really were a Dr Pepper fan, you'd know that there is no period/fullstop in the name. :P

Just check the wikipedia article, http://en.wikipedia.org/wiki/Dr._Pepper#Name_formatting [wikipedia.org], or look at one of your many cases of Dr Pepper if you don't believe me.

That said, quite a few people use stupid passwords. My own for /. is itself moderately secure, but I've used it for many different websites I don't really worry about too much. That weakens it a bit. Someone, somewhere, probably DOES have DrPeppe

You haven't seen some password policies

[Moraelin]

Eh, the poor guy probably just had to put up with some password policy that says he has to have at least one non-letter character in the password.

Re:Fingerprint scanners suck.

[flyingsquid]

That said, quite a few people use stupid passwords. My own for /. is itself moderately secure, but I've used it for many different websites I don't really worry about too much. That weakens it a bit.

Adding a few numbers or characters should buy you a fair amount of security, for instance, "DrPepper!!!" or "DrPepper732" should be harder to guess than "DrPepper". The problem is that you can go too far. You could require, for instance, that passwords be at least 12 characters long and contain at least one uppercase letter, one lowercase letter, one number, and one non-alphanumeric symbol, e.g. "DrPepper732!?". The problem is that you've got multiple passwords- one for work, one for Amazon.com, one for online banking, one for /., etc. etc. so it becomes virtually impossible to remember the damn things. Now what? People have to start writing them down, and posting them next to the machine. A huge part of the security of passwords comes from the fact that it's not physically written down; as soon as you have to record it instead of keeping it in your memory, your overall level of security is going down, even if the password is getting harder to crack.

Re:

[Jarjarthejedi]

Exactly. Password security is not simply dependent on how many and what type of characters are used, but also on what the person using the password does with it. Even the most secure password could be easily determined if the user tried to use it to register on a non-legitimate site. It really depends on the user, as well as the password. A semi-weak password used by a security conscious person is far better at protecting something than an extremely strong password used by someone who doesn't know, or care,

Re:Fingerprint scanners suck.

[Your Pal Dave]

The problem is that you've got multiple passwords- one for work, one for Amazon.com, one for online banking, one for /., etc. etc. so it becomes virtually impossible to remember the damn things. Now what? People have to start writing them down, and posting them next to the machine. A huge part of the security of passwords comes from the fact that it's not physically written down; as soon as you have to record it instead of keeping it in your memory, your overall level of security is going down, even if the password is getting harder to crack.

There's an easy solution to this, just store your passwords in one of those fingerprint-protected USB sticks that I've been reading so much about.

Re:

[Mister Whirly]

Dr Pepper has been around since 1885. I would think that qualifies as "old". I think I still have a couple bottles from the 70s around in my garage somewhere...

Re:

[agristin]

Hey, that is my password too!!

Re:

[zippthorne]

For one of them, I think they just put their thumb on a photocopy machine and pressed the copy button. There wasn't a single piece of equipment in there that could be called, "secure." I think even the mythbusters were surprised at how easy it was. I imagine they were expecting to bust it, considering the size of the industry.

The thing that people need to drill is that fingerprints are a username. You still need a password.

Re:

[Bert64]

A scan of a fingerprint is never exactly the same twice, thus it is useless as a cryptographic key...
The most it can do, is provide a "close enough" match to a program which will then provide the actual key. Since this is just a program, you can simply hack it to provide you with the key regardless of what input is fed to it, or just write your own program to retrieve the key from wherever it's stored.
A fingerprint is as poor a form of authentication as a signature, all for show while not providing any real

Big Picture: Still a bad idea

[JSBiff]

Let's say, hypothetically, you could create a perfect fingerprint matching system you could use to provide a strong encryption key for encrypting/decrypting your data. Let's say the technology couldn't be fooled - it really required *your* finger, and not a rubber mold, xerox, etc. Let's even say that it uses some sort of 'salting' technique so that someone can't just figure out your key by lifting your fingerprints - that is, knowing *just* the fingerprint would not by itself be sufficient to generate the

Re:Fingerprint scanners suck.

[explosivejared]

As I've pointed out in previous post [slashdot.org], you won't be truly secure until you can completely incinerate any non-authorized individual who touches the drive. Even passwords fall short. Encryption, biometrics, etc... pfft... you're not safe unless annihilation is ensured.

Re:

[MillionthMonkey]

You mean I can't leave my last will and testament on this thing if I plan to be cremated?

Re:

[halcyon1234]

That's what lackies are for. "Hey, Merv, touch that for me, will you?" *zzz*. "Hey, Johnson, touch that for me, will you?"

Re:

[kvezach]

Even passwords fall short. Encryption, biometrics, etc... pfft... you're not safe unless annihilation is ensured.

Hook it up to the South African flamethrower car alarm [wikipedia.org]; that should do it! (If you can get them to start making those again.)

Fingerprint scanners suck.

[mpapet]

It goes without saying that there are a large number of low-end sensors disguised as excellent front-ends to biometric authentication. You need to segregate two things.

1. the sensor itself.

2. the implementation of the sensor. (e.g. sensor as a front end)

There are two legitimate sensor manufacturers in the U.S. and one very well-known French company all of whom do not sell to just anyone anywhere and at prices absolutely out of range for a TV show and the average company.

Another thing to keep in mind is even IF there was budget for a good device, (oh to dream) there are implementation issues that can make the hardware worthless. As is often the case, meaningful implementations tend to complicate practically all business/operations matters which is why no company bothers.

To generalize that all fingerprint scanners suck is just wrong.

Re:Fingerprint scanners suck.

[dbrez8]

mpapet is correct. I work on the development team of a company that manufactures Biometric USB drives. there are many many low-end drives on the market that, as this article states, are not secure at all. You can use the attack they speak of or attack the flash chip directly in most cases. There are a few quality products on the market, including our own, that do use strong security principals to make sure attacks like these are not possible. To say that these issues effect all biometric USB devices, and that they should not be used, is simply false.

Re:Fingerprint scanners suck.

[sqldr]

Glad you were able to hack it. I had problems with fingerprint readers for exactly the opposite reason. I could never get into the data centre. Each time, I would have my print rescanned, and it would work for about 5 minutes, until the following week, possibly due to the fact that I was destroying my fingers with regular guitar playing at the time, it couldn't recognise me.

Re:

[Hawkeye05]

The Fingerprint readers on Thinkpads' Require electrical signals and also a pulse, so they arent that easy to circumvent, i wouldnt trust it with my life, since i dont encrypt my drive, but its good enough.

Re:

[Khyber]

Excuse me? The readers do not require a pulse. They do require some sort of moisture to activate the sensor, but a pulse is just bullshit. I'm responsible for replacing the damned things for a large laptop repair company and I also own a thinkpad with biometrics, so I can easily say that requiring a pulse is BS. Obtaining a pulse from the fingertip is near-impossible. You have to get to the second joint of the finger where the skin is thinner.

Re:

[Khyber]

That's why it needs some form of moisture, to bridge the two electrical contacts to activate the scanner.

Re:Fingerprint scanners suck.

[Belial6]

My biggest problem with finger print locks is that they use only my finger to open them, and I don't want someone using my finger to open a lock when I'm not there. A good rule of thumb is that you should never lock anything with a finger print that is more valuable to a thief than your finger is to you, or that is harder to crack than cutting off your fingers.

This is why I don't ever want a car with fingerprint locks. Pretty much the same for laptops. I am going to put a fingerprint reader on my pool gate though, as it will be easier for someone to just kick the gate open, or jump the gate than it is for them to mug me and take my fingers.

Re:Fingerprint scanners suck.

[AncientPC]

Malaysia car thieves steal finger [bbc.co.uk]

Re:

[Darinbob]

The scary thing about the Mythbuster's attempt at this, is that it was so easy. The grabbed a fingerprint from a glass, scanned it into a computer, touched it up a bit graphically, then printed it out on paper. They used that paper to create a rubber film with ridges, a little moisture was applied (the door measures skin conductivity as an added "security" measure), and voila.

Even scarier, in my view, was that they later skipped the last step altogether. They took the printed paper as is, moistened it, a

Re:

[ngc3242]

Disclaimer: I work for a major fingerprint sensor manufacturer.

The problem with these particular devices isn't in the fingerprint sensors but with the way the security system was setup on the USB chip. The attacks shown used in the article don't have anything to do with the fingerprint sensors. Heise did a similar review of similarly flawed "fingerprint protected" hard drives recently. I think I saw that link from Bruce Schnier's site originally.

This is not to say that fingerprint sensors are perfect. H

Damned With Faint Praise?

[Jeremiah Cornelius]

"They do not provide any significant level of protection. We can only recommend that these products not be purchased."

You seldom get such unflinching prose in a review.

Re:

[Anonymous Coward]

Yep, that's definitely unique with Heise. They are the unchallenged market leader for German computer magazines, both for professionals and customers. I've seen so many slashdot stories that came up about a week after heise.de published them.

A few weeks ago, they said the same thing for "encrypted" USB hard drives (with state-of-the-art "XOR" encryption).

What's wrong with low level protection?

[EmbeddedJanitor]

Low-level protection is fine, so long as you know it is low level. Low level protection is dine for stopping the casual snooper.

Around the world there are millions of low-level padlocks etc that will stop most petty thieves but will not deter serious thieves. Most houses have pickable locks that anyone could learn to pick, but yet most locks still serve their purpose.

The only real issue is if peeople buy these devices and think they're getting Fort Knox level security and essentially use a two-dollar padlo

LOLOL pwned!

[TripMaster Monkey]

And my boss has been pushing to get these deployed at our company, for the sake of security. I'm sending him this article right now.

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

Re:LOLOL pwned!

[Briareos]

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

Shouldn't you be thanking Heise instead?

Just saying...

np: Pole - Achterbahn (Shackleton Remix) (Steingarten Remixes)

Re:

[mgblst]

I like to thank my monitor for what comes through the tubes. And every now and again I give my mouse a grateful squeeze.

Re:

[Midnight Thunder]

Thanks once again, Slashdot, for making it possible for me to project the impression that I'm doing my job. ^_^

Then again he might ignore you and ask you what you are doing reading /. , at least if he is of the pointy haired variety ;)

Mythbusters

[TheMeuge]

Didn't Mythbusters beat a bunch of fingerprint readers a couple of seasons ago? I seem to recall them using printed pictures of fingerprints with great success.

http://www.youtube.com/watch?v=oXyFmieZjiE

Re:

[SatanicPuppy]

Yep. The thing that I thought was most interesting was that the laptop scanner was harder to fool than the big sexy security door scanner.

Not that they didn't take both of them down easily, using low tech methods.

Re:

[haruchai]

Video has been yanked due to copyright infringement claim from Discovery Channel

bad security

[esocid]

...the controller on the stick does not decide whether to provide access to the partition; the software running on Windows does.

Well there's your problem. Who in their right mind designed these? No encryption either. Or maybe it was their plan all along...No, I'd go with just stupidity.

Re:

[Idaho]

Well there's your problem. Who in their right mind designed these? No encryption either. Or maybe it was their plan all along...No, I'd go with just stupidity.

Stupidity of the gullible people buying this, that is.

The guys who designed this (and, more importantly, marketed it) are certainly not stupid - they are essentially selling low-grade USB sticks at probably a 10x markup, at the cost of having a couple programmers write a Windows-only driver that makes it look like there is a security layer. I wouldn't

More snake oil security

[Idaho]

This is not the first USB-stick sold for a high price (typically 10 times the price of a normal USB stick of the same size) that doesn't actually add any security whatsoever.

Here [tweakers.net] is an article by a dutch website (the article is in english though) that does a thorough job (technical details included) of debunking a similar product.

Meanwhile, the scary thing is that government and military organizations are reported to have been actually using such products...

Re:

[Opportunist]

And they will continue using them. Simple reason: They don't give a jack about security, they only care about the outcry.

Now, Joe Average doesn't know more about security than the feds do. Actually, I'm tempted to say, he knows less. So the next time some data will be "lost", some fed PR goon will step in front of the cam and announce that yes, we lost some data, but fortunately it was well encrypted, so your data has not been compromised. And Joe will be happy and satisfied, because it's encrypted.

How well

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[garett_spencley]

I agree 100%. However, the whole point of these devices is to protect your data in case it is lost / stolen.

The only problem is that they do not work.

There is a big market for physical security. It needs companies that will exploit it without snake oil. I like the idea of a multi-layer encryption / pass phrase / physical lock / self-destruct / whatever combination etc. idea on USB sticks and laptops etc. and I expect that products that cater to that need will grow. Unfortunately products that fail to live u

Re:

[Opportunist]

It's about as much snakeoil as the whole deal with "protection" against intrusion when you have the "protected" device physically in your hands. It's right behind unbreakable DRM.

Re:

[TheRealMindChild]

Not entirely. If the entire (and I mean everything) was encrypted with a unique hash calculated by your print, I think it would work.

Re:

[Tony Hoyle]

Your print never reads the same twice (fingerprints are a poor biometric for this reason - you can only really guess within a certain probability that it's the right one), so to do what you're suggesting you'd have to store the hash on the device.

So your security is dependent on them hiding the hash to the rest of the data. Security is only as strong as its weakest point.

Re:

[TheRealMindChild]

Then the problem is a technical one, not a logical one. You propose that the idea will never be secure because we currently can't do it that way... that is must be done some other way. Just focus on what you need to actually be doing make it possible, not assume that it can't ever be done and you are stuck with nasty obscurities.

Re:

[Culture20]

His point was if the hash is stored on the device... the Hash is stored On the Device; bad security model.

Fingerprint readers are kind of like a new, lazy, security guard; he kind of knows what people look like, and he'll let anyone in the building that looks close enough. Unfortunately, he _has_ to let people in who look close enough, or he'll get fired (the fingerprint reader won't be purchased).

Fingerprint readers are even worse than the human, because you can fake them so easily. So, you've got w

Re:

[Jesus_666]

One problem is that fingerprints change. You cut your finger or play a guitar or just tend to have dry skin*... and your fingerprint changes. One issue with biometrics is that they are not static. You fingerprints, your irises, your retinas - all of them change slightly over time. It's slight enough for "there's a high probability that this reading matches person X", but too much for "we'll take this reading as a digital key". You can try to downsample the readings to compensate for long-term change and sho

Re:

[mattpalmer1086]

No, sorry, that's just wrong. If the data is properly encrypted with a decent cipher using a key with sufficient entropy, you should assume it has not been compromised.

If the encryption you are using is so poor that the loss of your USB stick means you consider the data to be compromised, why bother encrypting at all?!!!

Re:

[account_deleted]

Comment removed based on user account deletion

True of biometrics, maybe.

[SanityInAnarchy]

It may still be possible to create something relatively tamper-proof, by destroying the physical layer if an attempt is made.

However, it is possible to do strong encryption such that you should assume it will be secure, and there is a number of years for which you can assume that to be true. Most schemes we employ today are assumed secure for at least ten years. Without some trick (or fully-functional quantum computers), there are some schemes which will outlast the heat-death of the Universe, but 10 years

Hardware-based security is often vulnerable

[Lucas123]

Corsair's Flash Padlock has the same issue [computerworld.com]. You can open the case through a single screw in the back of the drive and then access an electronic switch on the board, which can be easily tripped with a piece of wire, giving you access to the memory chip without having to punch in a security PIN. Hardware security methods just aren't as secure as software-based encryption.

Re:Hardware-based security is often vulnerable

[mpapet]

Hardware security methods just aren't as secure as software-based encryption.

You couldn't be more wrong about biometric authentication. You probably haven't seen the Sagem or Cogent sensors implemented well. It is the very rare organization who would actually spend the money to do the job right. A revision is necessary to make your statement accurate.

Cheap and dirty hardware security methods just aren't as secure as software-based encryption.

That's better.

Re:Hardware-based security is often vulnerable

[Lumpy]

Exactly. I saw a "secure" version of that. that potted the whole device in epoxy. I returned the unit to the salesman with all the epoxy removed and a CD of the contents of the drive and said. "I would not trust that for any security."

Granted It helps I made my way through college modding VideoCipher II boards back in the 80's so epoxy potting removal is incredibly easy to me.

The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.

Re:

[smellsofbikes]

>so epoxy potting removal is incredibly easy to me.

Out of curiosity, how do you do it? I've used a combination of soaking in acetone and physically chipping/milling the stuff away, but I'd love to know better techniques.

>The ONLY way to make these toys secure is custom chipsets. power up chipset and then only decrypt the contents of the flash after the 12 digit key was entered on the little pin pad. But nobody is going to make that.

Read about the Maxim DS3600 [maxim-ic.com] family of chips some time. Keys stored e

Re:

[SCHecklerX]

Not my realm of expertise, but the two previous posters may like this:

http://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf [blackhat.com]

Watch a Sci-fi movie!

[hellfire]

There's a reason why certain b-grade sci-fi slasher movies portray a top secret high security building protected by some kind of hand or fingerprint scanner. They need some security lock that is insanely easy for the hero or the villian to get through. Every time you see this, you know some loser extra is going to be dead and missing a hand by the end of the flick.

Re:

[Beardo the Bearded]

Exactly.

Plus, a gun beats any security measure you can come up with. Just hold it to the head of a guy who knows the password.

"Hey, see my gun? What's the password?"

"It's 12345. Here, let me press the thumb scanner for you while I'm here anyway."

Re:

[aproposofwhat]

That's what distress keycodes were invented for - some fingerprint implementations even allow you to choose a 'distress finger' for use in that situation - it will still open the door, but will also flag an alert to security staff.

'distress finger'

[More_Cowbell]

I know there's a good joke in there somewhere.

Re:

[SanityInAnarchy]

Depends if stealth is required. By the time you've already shown your gun to someone, they know you were here, and possibly know what you look like.

Under some situations, sure, it'd be problematic. But by the time you're doing that, you've already screwed up past your original silent-like-the-wind attack, where they'd never know you were there.

Of course, this being a scifi flick, something will go wrong anyway...

Mythbusters

[scubamage]

There was an awesome episode of Mythbusters where they went through and cracked numerous types of fingerprint scanners.. amazingly the most sophisticated systems were extremely easy to beat (ie: using a photocopy of a brushed fingerprint). The cheaper ones worked a bit better requiring a ton of work to get by. I don't think this really is so much an issue about finger scanning as it is hardware design.

Re:

[Ihmhi]

I was just about to post this... here is the video of it: http://www.youtube.com/watch?v=LA4Xx5Noxyo>

I am honestly not surprised. Biometrics has a long way to go. Now when are we going to see retinal scanner thumb drives? *eyeroll*

The Elephant in The Room

[rueger]

Having spent too many hours dealing with increasingly bizarre authentication schemes at various web sites, [community-media.com] and more hours reading about each new form of high tech security wizardry, I've come to conclude that an awful lot of companies are ignoring the obvious - that the only really secure way to protect data is to prevent physical access to it.

As long as someone can get access to the container, they can find a way in.

Obviously we're balancing convenience with security, but when some employee takes your whole customer database off-site on his laptop your problem is not encryption, it's keeping that data in a controlled environment.

Re:The Elephant in The Room

[Lumpy]

One of my favorite Login security systems I have used was when I had to access a secure system back in the early 90's. one of the login validations was the date and time you last logged in.

Username:
Password:
Last login date:
Last Login time:
Today's PIN:

Worked good but kept a LOT of people out as they could never remember when they last logged in I was one of few that never called the help desk as I simply scheduled my login times to be the same each day.
Today's pin was not so safe as it was written on the whiteboard in the security office.

Re:

[Tony Hoyle]

I simply scheduled my login times to be the same each day.

So anyone that knew you could easily get that part of the login. Not only compromising the system but locking you out in the process!

That's like setting your password to your wifes name or something. No security at all.

Re:

[Lumpy]

Well they had to know me, my login, know my password, knew that I logged in at 12:17, and knew the security pin on the white board for that day, and try it when they knew I was not still logged in. as a second login attempt when a session is open will trigger security lockdown on the account.

If you are that good, then yes you could get in.

Oh no! Not fingerprint "security"

[pesc]

When will fingerprint "security" die?

Obligatory links:

http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/ [theregister.co.uk]
http://www.schneier.com/crypto-gram-9808.html#biometrics [schneier.com]

It's important to understand that your fingerprints aren't secrets. You put them on thousands of objects every day. You can't create any security based on fingerprints unless you can assure that the reading device isn't tampered with. By placing a guard (a person) there or something.

Re:

[Tony Hoyle]

Interestingly that sequence in 2002 was exactly what Mythbusters repeated several years later.

Sounds like they read that article and repeated the experiment to see what would happen - and there was me thinking they'd actually made some of it up...

Another misuse of biometrics

[swordgeek]

Biometrics has its place. This isn't it.

Most of the time, a username/password is a perfectly good access-control method. In some cases (either high-security environments or connections over hostile space), a second authentication method is advised. Now we have a two-factor authentication. Typical example is "log onto the firewall to allow you to log onto a machine inside the firewall." SecureID cards and the like also work as a good second-factor method.

A biometric challenge is arguably an acceptable second-factor when added to a username/password system. It is NOT a substitute for such a system.

However, biometrics are HARD to do correctly! Cheap scanners suck and are generally insecure by design. Expensive scanners suck, but are generally designed better. None are foolproof, yet.

Also, biometric authentication carries a risk. If your username and password are stolen, then you can change your password and stop the damage. If your biometric ID (retinal scan, fingerprint, etc.) are successfully 'stolen,' then you have lost your authentication ability for all time! If your fingerprint is compromised, you can NEVER USE it as an authentication method again! There ain't no resetting fingerprints!

So we have a large expense for an imperfect system with exactly one possible compromise per user per lifetime. This isn't a primary ID method. It's not a good second-factor ID method either. In EXTREME security environments, it might make sense as a third-factor authorization system, along with username/password and a (pseudo-) one-time pad (i.e. SecureID).

If you don't NEED that type of security, then DON'T USE YOUR BIOMETRIC DATA! One compromise, and it's useless. Forever. Period.

Oh yeah, but I forget the most important part: Fingerprint scanners are shiny and cool, just like in the movies. Bah.

Encrypted memory stick experience

[argent]

In my previous system administration job one of the managers got some kind of deal on a big box of encrypted memory sticks - something like 100 sticks - that we put into our pool of thumb drives our engineers used for transferring configuration files and the like. We never used the encryption technology (among other things, embedded controllers don't have the ability to run Windows executables to read the password), instead we configured them as one big open partition. Unfortunately they were particularly s

The fundamental problem...

[tgd]

Fingerprints are a source of identification not authorization. They're not private. No matter how good your sensor is, there's nothing secret about your authorization. Its a "what you have", which conveniently you always have.

If you are going to provide authorization, you need to use a "what you know" (password) to even have a minimum of security.

Doing anything else is an explicit decision to disable security. Hopefully an acceptable reduction in exchange for a necessary benefit. Most of the time its not, h

Re:

[tgd]

Crap "secret about your fingerprint".

Preview first... preview first...

If at first you don't get posted...

[damn_registrars]

Someone already submitted this article [slashdot.org] under a different headline. It was rejected. Apparently we care about it now, though I'm not sure why. Even linked to the same article, and sent in by the same person, with a different description.

I guess now I know what to do if the stories I submit don't make it...

Re:

[Opportunist]

Depends how much interesting stuff happens. On some days, groundbreaking news don't make it to the frontpage because there've been even more groundbreaking events pushing them back. On other days, a story about some dork building something out of LEGO makes it because there's simply nothing going on.

Fingerprint Systems

[kellyb9]

Fingerprint systems are terrible if you really think about it. It would basically be like a password that you had, you couldn't change it, and you left it in paper version everywhere you go. There needs to be another layer of security on top of most biometric systems.

Well that was stupid

[Bobb Sledd]

Well that's stupid. Apart from the fact that using biometric data that is subject to loss, and cannot ever be changed in case of compromise...

Assuming you *had* to do it with fingerprints... why wouldn't you just come up with some algorithm that takes certain points and spaces and distances of your fingerprint, creates an encryption/decryption password based on the results, and then encrypts/decrypts your data with something like what TrueCrypt does, but using this password instead.

This way your data is ac

Truecrypt

[Frederic54]

This is why I have a $10 USB memory stick and I use a Truecrypt volume on it with a HMAC-Whirlpool whatever encryption it is.
When I plug it into another computer, the autostart popup comes on the screen to mount the volume, easy enough, and as almost everyone run their windows as administrator, no problem to run Truecrypt.
It works also on Linux and OSX.

And if someone steal it, good luck finding the key!

Re:

[SirTalon42]

[quote]When I plug it into another computer, the autostart popup comes on the screen to mount the volume, easy enough, and as almost everyone run their windows as administrator, no problem to run Truecrypt.
It works also on Linux and OSX.

And if someone steal it, good luck finding the key![/quote]

If someone knows a machine you'll be sticking it into at some time, they could simply get there before you and put a few simple tools on it to monitor what happens, and either flat out copy the encryp

It's your username

[Rick Genter]

A fingerprint identifies you. It doesn't authenticate you. It's effectively your username. To use it as your password is akin to using your username as your password.

Everyday Joe....

[Kazrath]

Guys, We know that with the right tools, knowledge and ability pretty much anything can be cracked. These devices may not be able to keep security professionals or their seedier equivalent from accessing the information but it will keep the everyday Joe office worker from accessing your information. The idea is sound and it is secure against probably 99% of the worlds population. The technical elite would be able to eventually crack it regardless of which security measures were applied.

I for one think t

Security Failures in Secure Devices

[SCHecklerX]

Christopher Tarnovsky gave an interesting presentation on this related subject at BHDC 2008:

http://www.blackhat.com/presentations/bh-dc-08/Tarnovsky/Presentation/bh-dc-08-tarnovsky.pdf [blackhat.com]

You're not getting th idea behind the hack.

[Ernesto Alvarez]

I've been seeing lots of posts critisizing fingerprint authentication and how it is easily cracked, etc. You should (re)read TFA, because you're not getting the idea.

Those sticks are flawed not because the fingerprint sensor sucks, but because the authentication is made on the computer.

If I got it right, those sticks should work like this

1. You plug the stick
2. You put your finger on the sensor
3. The sensor reads your print and sends its data to the computer
4. The windows driver takes the data and decides whether it should give you access or not
5. If the print matches, IT SENDS WHAT IN ESSENCE IS AN UNLOCK COMMAND TO THE STICK
6. You access the private partition

The fact that the stick uses biometrics is irrelevant. With a design like that, it would have been vulnerable even if it had PIN, RSA keys or black magic. You can just bypass the security mechanism by sending the unlock command.

Essentialy, it has the same flaw as the secustik we saw last year.

Re:Misleading?

[esocid]

But it is misleading. It offers a technology that, to the viewer, is designed to protect the content on the memory. It does nothing of the sort. It gives the facade of a deadbolted door, with a window around back that is just left open. You say it's quicker than inputting a password? I doubt people are really in that much of a hurry that 2 seconds is such a waste of time. If anything it would serve as not needing to remember a password, or multiple passwords. But I'm still wary of anything that will require any sort of biometric information of mine for me to access.

Re:

[SatanicPuppy]

Meh. It's security theater. Just buy a normal one and keep it in your wallet...That'll keep everyone out. What's the point of securing it only against people who don't really care if they get in it or not?

Re:

[jellomizer]

A fingerprint Reader is probably as secure as a 3 or 4 diget password. if used in conjunction of an other 3 or 4 diget password they could be rather secure.

Re:

[SirTalon42]

Welcome to Slashdot. If you want original, informative, interesting, or insightful discussion, this place isn't for you.

Re:

[Mister Whirly]

Maybe Mythbusters should do an episode where they debunk the theory that not only do Slashdotters read TFA, they also read TFC before posting.