Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hacking USB Thumbdrives, Thumprint authentication

From: m e <mje () list intersec com>
Date: 27 Jan 2004 13:58:20 -0000
In-Reply-To: <AE503E4425AA90459FDD5066BCE87E9901DD8B84 () smskpexmbx1 mskcc root mskcc org>


When we investigated fingerprinting products, two colleagues cracked the
system by using a paper photocopy of a finger.  They placed it on the
=66ingerprinting pad and pressed it with another finger to provide the
heat that the pad needs to detect.  I was incredulous of their account,
but after reading the Putte source below, this sounds credible.



very cool. this i'll try and let you know.

please devil's advocate the following argument.

We are not trying to build a cruise missle to kill a fly.
We want 50% security control that 100% of the people use, not
100% security control that 50% of the people use.

I can't see a threat scenario where wife copies sales guys
thumbprint on gummy bear while sales guy is sleeping to get 
a peek at his USB drive. Yes it may happen once a year, but
chances are they will lose USB device first.

Real vulnerability is sales guy loses USB drive, and Joe
Six-Pack picks it up and brings it home to his kid. Or leaves
USB drive at customer site and customer gets curious and tries
to look at it.

So what are the vulnerabilities in this scenario?





---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: