RE: Hacking USB Thumbdrives, Thumprint authentication

[<David.Cross () ngc com>]

Your concerns are shared by the majority of people at this point in time.  It is very likely that thumbprint devices, 
if used commonly, will lead to everyone's prints being added to a national or international database at some point in 
time.  This seems to be an inevitable progression of our society.  No amount of justification could make it right but 
I'm convinced it will happen. In the mean time I will continue to learn everything I can about biometrics.

For this reason I hope people don't choose biometrics as a mainstay.  But funny things happen when politicians get 
nervous.

Perhaps people should spend more time analyzing these technologies so that there are reasons to avoid biometrics as a 
whole.




-----Original Message-----
From: Kurt Seifried [mailto:bt () seifried org] 
Sent: Tuesday, February 03, 2004 5:51 PM
To: Cross, David; vuln-dev () securityfocus com
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

> I've been working with fingerprint authentication devices for over 9 years
now.  The basis for the research quoted on cracking these devices is weak.
Is it possible >to devise a way to fool fingerprint readers?... given enough
time, gummy bears and glue?  It may be possible but having tested the
devices over a number of years I >can say that it is very difficult.  By the
time a person was able to do lithography and form a "gummy finger" of some
type their password could have been stolen >hundreds of times over by a
hardware key-logger or socially engineered.

Problem is I can change my passwords, but not my fingerprints. What do you
do once a high res photo or other "description" of your fingerprints are
released publicly on the net?

> Also it would be fair to note that some newer thumb print devices read
ridges under the surface of the skin.  Other devices read temperature as
well as the >print.itself.  Silicon sensors register wetness as a factor as
well by returning a bad result if the print is not moist or is too moist.
(not the $65 readers)  Also those >serious about finger print biometric
systems will use a combination of pin and print or smart card and print like
the Precise Biometrics (TM) device.  Other models >of print reading devices
go further with an on-card certificate on smart media combined with a finger
print.  Beyond pin's and prints other systems register 10 prints >and pick
one randomly or select two randomly and the user must supply prints from the
requested fingers.  All of these have/know systems are more secure than >the
"have" systems where you only present what you have physically.  Any secure
system will combine "have" and "know" methods for truer authentication.

If people are as you put it "serious" about authentication chances are they
won't have problems, but like any security problem the vast majority will
not be "serious" about solving it, and will instead go for the cheap
solutions. If people were serious about security we wouldn't have things
like MyDoom infecting 100,000's of computers.

> Most computer users have an aversion to biometrics as a means of
authentication making widespread use unlikely for at least a few more years.

Personally I will be refusing to use biometric authentication with any
organization that is not required by LAW to keep my information (i.e.
retinal/fingerprints/whatever) private. Of course with no real penalties for
letting that information out so it's mostly a moot point. But how will
people feel when some company goes out of business and decides to sell their
biometric data as an asset?

What laws are there to protect the (possibly forced) consumers of biometric
authentication? I.e. McDonalds is deploying hand scanners. What laws prevent
them from selling that handprint data to another company?

> David Cross, CISSP


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/