Vulnerability Development mailing list archives
RE: Hacking USB Thumbdrives, Thumprint authentication
From: <David.Cross () ngc com>
Date: Wed, 4 Feb 2004 11:39:51 -0700
Your concerns are shared by the majority of people at this point in time. It is very likely that thumbprint devices, if used commonly, will lead to everyone's prints being added to a national or international database at some point in time. This seems to be an inevitable progression of our society. No amount of justification could make it right but I'm convinced it will happen. In the mean time I will continue to learn everything I can about biometrics. For this reason I hope people don't choose biometrics as a mainstay. But funny things happen when politicians get nervous. Perhaps people should spend more time analyzing these technologies so that there are reasons to avoid biometrics as a whole. -----Original Message----- From: Kurt Seifried [mailto:bt () seifried org] Sent: Tuesday, February 03, 2004 5:51 PM To: Cross, David; vuln-dev () securityfocus com Subject: Re: Hacking USB Thumbdrives, Thumprint authentication
I've been working with fingerprint authentication devices for over 9 years
now. The basis for the research quoted on cracking these devices is weak. Is it possible >to devise a way to fool fingerprint readers?... given enough time, gummy bears and glue? It may be possible but having tested the devices over a number of years I >can say that it is very difficult. By the time a person was able to do lithography and form a "gummy finger" of some type their password could have been stolen >hundreds of times over by a hardware key-logger or socially engineered. Problem is I can change my passwords, but not my fingerprints. What do you do once a high res photo or other "description" of your fingerprints are released publicly on the net?
Also it would be fair to note that some newer thumb print devices read
ridges under the surface of the skin. Other devices read temperature as well as the >print.itself. Silicon sensors register wetness as a factor as well by returning a bad result if the print is not moist or is too moist. (not the $65 readers) Also those >serious about finger print biometric systems will use a combination of pin and print or smart card and print like the Precise Biometrics (TM) device. Other models >of print reading devices go further with an on-card certificate on smart media combined with a finger print. Beyond pin's and prints other systems register 10 prints >and pick one randomly or select two randomly and the user must supply prints from the requested fingers. All of these have/know systems are more secure than >the "have" systems where you only present what you have physically. Any secure system will combine "have" and "know" methods for truer authentication. If people are as you put it "serious" about authentication chances are they won't have problems, but like any security problem the vast majority will not be "serious" about solving it, and will instead go for the cheap solutions. If people were serious about security we wouldn't have things like MyDoom infecting 100,000's of computers.
Most computer users have an aversion to biometrics as a means of
authentication making widespread use unlikely for at least a few more years. Personally I will be refusing to use biometric authentication with any organization that is not required by LAW to keep my information (i.e. retinal/fingerprints/whatever) private. Of course with no real penalties for letting that information out so it's mostly a moot point. But how will people feel when some company goes out of business and decides to sell their biometric data as an asset? What laws are there to protect the (possibly forced) consumers of biometric authentication? I.e. McDonalds is deploying hand scanners. What laws prevent them from selling that handprint data to another company?
David Cross, CISSP
Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/
Current thread:
- RE: Hacking USB Thumbdrives, Thumprint authentication David.Cross (Feb 03)
- Re: Hacking USB Thumbdrives, Thumprint authentication Kurt Seifried (Feb 05)
- <Possible follow-ups>
- RE: Hacking USB Thumbdrives, Thumprint authentication David.Cross (Feb 06)
- Re: Hacking USB Thumbdrives, Thumprint authentication Adeel Hussain (Feb 09)