Penetration Testing mailing list archives
RE: Hacking USB Thumbdrives, Thumprint authentication
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 27 Jan 2004 09:57:02 -0500
Vulnerability #1 in this scenario? The thumbprint is still on the drive from when he last touched it. Dust the print off, scan it, print it and continue from there. Some of the fingerprint readers can be triggered just by cupping your hands around them and breathing on them, causing the print to fog (and be read).
-----Original Message----- From: m e [mailto:mje () list intersec com] Sent: Tuesday, January 27, 2004 8:58 AM To: pen-test () securityfocus com Subject: Re: Hacking USB Thumbdrives, Thumprint authentication In-Reply-To: <AE503E4425AA90459FDD5066BCE87E9901DD8B84 () smskpexmbx1 mskcc ro ot.mskcc.org>When we investigated fingerprinting products, two colleagues cracked the system by using a paper photocopy of a finger. Theyplaced it onthe =66ingerprinting pad and pressed it with another fingerto providethe heat that the pad needs to detect. I was incredulous of their account, but after reading the Putte source below, this sounds credible.very cool. this i'll try and let you know. please devil's advocate the following argument. We are not trying to build a cruise missle to kill a fly. We want 50% security control that 100% of the people use, not 100% security control that 50% of the people use. I can't see a threat scenario where wife copies sales guys thumbprint on gummy bear while sales guy is sleeping to get a peek at his USB drive. Yes it may happen once a year, but chances are they will lose USB device first. Real vulnerability is sales guy loses USB drive, and Joe Six-Pack picks it up and brings it home to his kid. Or leaves USB drive at customer site and customer gets curious and tries to look at it. So what are the vulnerabilities in this scenario? -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Hacking USB Thumbdrives, Thumprint authentication m e (Jan 25)
- Re: Hacking USB Thumbdrives, Thumprint authentication Craig Pringle (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Job de Haas (Jan 26)
- RE: Hacking USB Thumbdrives, Thumprint authentication John Deatherage (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Walter Williams (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- <Possible follow-ups>
- RE: Hacking USB Thumbdrives, Thumprint authentication Deras, Angel R./Information Systems (Jan 26)
- Re: Hacking USB Thumbdrives, Thumprint authentication Volker Tanger (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Rob Shein (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Jerry Shenk (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Atul Porwal (Jan 27)
- RE: Hacking USB Thumbdrives, Thumprint authentication Herbold, John W. (Jan 27)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 28)
- Re: Hacking USB Thumbdrives, Thumprint authentication Meritt James (Jan 29)
- Re: Hacking USB Thumbdrives, Thumprint authentication m e (Jan 28)