Re: Hacking USB Thumbdrives, Thumprint authentication

[Walter Williams <wbjw () mindspring com>]

You will want to verify that the thumbprint is not only hashed, but
morphed either before or after the hash.  This way there is the ability
to periodically change the recording of the thumbprint such as you would
change your password, and for many of the same reasons: if the morph
changes every 30 days, the person who has stollen the hash for cracking
has some random subset of that in which that hash is good.

Most comercial grade biometric devices can't do this, and hacking a
thumb print is rather easy, if you have physical access to the person
(and therefor the laptop).  Requires social engineering skills, that's all.

Walter

m e wrote:
> I'm interested in research regarding hacking USB drives
> unlocked with a thumbprint
>
> http://www.thumbdrive.com/prd_info.htm
>
> Or any thumbprint biometric hacking.
>
> Client is considering USB drives to offload laptop data 
> and at first glance seems like a better solution
> than keeping sensitive data on laptops. Encryption software
> on laptops requires more password management and software
> hassles. The above device has no software drivers to install
> so deployment headaches are minimized with (what seems) like
> better security (obviously not maximum security) at low
> deployment cost.
>
> I'm guessing one can take the flash chip off the device
> and plug into regular USB drive. Or rewrite the thumbprint hash.
> Or hacks to fool the drivers. Or reverse engineer the
> login program to always return "Yes".
>
> Thanks,
> dreez
> mje () secev com
>
>
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------