Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hacking USB Thumbdrives, Thumprint authentication

From: "Volker Tanger" <volker.tanger () discon de>
Date: Tue, 27 Jan 2004 09:31:34 +0100
Greetings!

On Mon, 26 Jan 2004 14:43:12 -0500 "Deras, Angel R./Information Systems"
<derasa () MSKCC ORG> wrote:

When we investigated fingerprinting products, two colleagues cracked
the system by using a paper photocopy of a finger.  


There's an even less technical approach presented ~ a year ago by the
German c't magazine (http://www.heise.de/ct/02/11/114/default.shtml),
that worked with a surprising number of the fingerprint readers: first
you clean the reader (with a bit of wet/soapy cloth) and wait for a user
to authenticate. After he left, you simply login by aspirating against
the reader...

Probable explanation: each finger pressed against the reader lets some
greasy residue left behind - in the form of a fingerprint. By aspirating
water vapor condenses (preferrably) at the non-greasy parts (fat and
water don't mix) - in the form of a valid fingerprint. Warm breath seems
to confirm the life detection - et volia!

Scary - but seemed to be sufficient for a number of devices...
:-(

Volker Tanger
ITK-Security

---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: