Vulnerability Development mailing list archives
Re: Hacking USB Thumbdrives, Thumprint authentication
From: "Rev. Kronovohr" <kronovohr () finalaeon net>
Date: Mon, 26 Jan 2004 12:38:42 -0600
Thumbprint scanners are only a small part of a larger security strategy. While being ineffectual in and of themselves, combined with retina scanning, physical verification, PIN codes, and ID cards, they're fine for perimeter security, but workstation security should maintain more than one simple biometric device to assure that the user calling is the user who's supposed to be there. Like you said, great for one household system, but if it's not part of a greater security scheme, it might as well be unpassworded for all intents and purposes to a determined attacker who can gain physical access to a system. On Mon, 2004-01-26 at 10:40, Harlan Carvey wrote:
There were some articles on SF a bit ago, referring to the use of household kitchen items (gummy bears) to "fool" the thumbprint biometric devices. My own research about 2 yrs ago showed that while the thumbprint scanners worked well for local authentication, they did nothing to protect a system from being contacted remotely. If a weak admin (or any user, for that matter) password is in place, then the biometric does no good whatsoever. Also, there are ways to cause the biometric device to "malfunction", to the point that the user is frustrated. For instance, unseat the connection to the back of the machine, or break off a pin, or put a smug on the reader...these will cause enough problems with the device that the user will grow tired of dealing with it. Remember, the thumbprint biometric scanners are not so much for security, but more for convenience...users don't often forget their thumbs, whereas they may forget a password.I'm interested in research regarding hacking USB drives unlocked with a thumbprint http://www.thumbdrive.com/prd_info.htm Or any thumbprint biometric hacking. Client is considering USB drives to offload laptop data and at first glance seems like a better solution than keeping sensitive data on laptops. Encryption software on laptops requires more password management and software hassles. The above device has no software drivers to install so deployment headaches are minimized with (what seems) like better security (obviously not maximum security) at low deployment cost. I'm guessing one can take the flash chip off the device and plug into regular USB drive. Or rewrite the thumbprint hash. Or hacks to fool the drivers. Or reverse engineer the login program to always return "Yes". Thanks, dreez mje () secev com
-- Rev. Kronovohr <kronovohr () finalaeon net> The Brotherhood of the Final Aeon finger kronovohr () finalaeon net or http://www.finalaeon.net/finger.php?user=kronovohr&host=finalaeon.net fingerprint: 37C4 B78A 770E 9D85 79E3 532F BB29 03FE 0759 CF8B
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Hacking USB Thumbdrives, Thumprint authentication m e (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Robin (Jan 26)
- RE: Hacking USB Thumbdrives, Thumprint authentication David Schwartz (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication Robin (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication David Schwartz (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication Harlan Carvey (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Rev. Kronovohr (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Valdis . Kletnieks (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication Jon McClintock (Jan 26)
- RE: Hacking USB Thumbdrives, Thumprint authentication Gavin S (Jan 28)
- <Possible follow-ups>
- RE: Hacking USB Thumbdrives, Thumprint authentication hugh_fraser (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Peter Gutmann (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication Philip Stortz (Jan 29)
- Re: Hacking USB Thumbdrives, Thumprint authentication Robin (Jan 26)