![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
RE: Hacking USB Thumbdrives, Thumprint authentication
From: "John Deatherage" <john () dtiserv2 com>
Date: Mon, 26 Jan 2004 13:39:45 -0800
Trek doesn't have a product manual up yet for the ThumbDrive touch, but it does at least support two-factor authentication. For basic three factor authentication (we're making a best effort here), the "something you have" would have to be the drive itself. If people leave these stuck in their laptops, they have to understand that it's like leaving your ATM card sticking out of the slot. Anyone that knows the setup is looking for your bio and password can initiate a targeted attack. After looking at their webpage, I was reminded that these things are bootable devices. Just a reminder to turn off all but local HD in boot order in BIOS and implement a BIOS password. Before deploying these at a client, I would make sure that something like this in place... unless you want another pen tester to use the drives against them ;) -----Original Message----- From: m e [mailto:mje () list intersec com] Sent: Saturday, January 24, 2004 9:31 PM To: pen-test () securityfocus com Subject: Hacking USB Thumbdrives, Thumprint authentication I'm interested in research regarding hacking USB drives unlocked with a thumbprint http://www.thumbdrive.com/prd_info.htm Or any thumbprint biometric hacking. Client is considering USB drives to offload laptop data and at first glance seems like a better solution than keeping sensitive data on laptops. Encryption software on laptops requires more password management and software hassles. The above device has no software drivers to install so deployment headaches are minimized with (what seems) like better security (obviously not maximum security) at low deployment cost. I'm guessing one can take the flash chip off the device and plug into regular USB drive. Or rewrite the thumbprint hash. Or hacks to fool the drivers. Or reverse engineer the login program to always return "Yes". Thanks, dreez mje () secev com --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Hacking USB Thumbdrives, Thumprint authentication m e (Jan 25)
- Re: Hacking USB Thumbdrives, Thumprint authentication Craig Pringle (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Job de Haas (Jan 26)
- RE: Hacking USB Thumbdrives, Thumprint authentication John Deatherage (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Walter Williams (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- <Possible follow-ups>
- RE: Hacking USB Thumbdrives, Thumprint authentication Deras, Angel R./Information Systems (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Volker Tanger (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Jerry Shenk (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Atul Porwal (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Herbold, John W. (Jan 27)
(Thread continues...)