RE: Hacking USB Thumbdrives, Thumprint authentication

[<David.Cross () ngc com>]

I've been working with fingerprint authentication devices for over 9 years now.  The basis for the research quoted on 
cracking these devices is weak.  Is it possible to devise a way to fool fingerprint readers?... given enough time, 
gummy bears and glue?  It may be possible but having tested the devices over a number of years I can say that it is 
very difficult.  By the time a person was able to do lithography and form a "gummy finger" of some type their password 
could have been stolen hundreds of times over by a hardware key-logger or socially engineered.

Also it would be fair to note that some newer thumb print devices read ridges under the surface of the skin.  Other 
devices read temperature as well as the print itself.  Silicon sensors register wetness as a factor as well by 
returning a bad result if the print is not moist or is too moist.  (not the $65 readers)  Also those serious about 
finger print biometric systems will use a combination of pin and print or smart card and print like the Precise 
Biometrics (TM) device.  Other models of print reading devices go further with an on-card certificate on smart media 
combined with a finger print.  Beyond pin's and prints other systems register 10 prints and pick one randomly or select 
two randomly and the user must supply prints from the requested fingers.  All of these have/know systems are more 
secure than the "have" systems where you only present what you have physically.  Any secure system will combine "have" 
and "know" methods for truer authentication.

Also worthy of note is that the easiest way to authenticate to some user's account is to find a user with a true whorl 
print where there are no distinguishing starts and stops in the lines of the print or where the print is pure loop with 
no minutia.  This allows someone with a similar print to log in nearly every time.  Most print scanners use end-point 
comparison and where there are no end points many of the algorithms break down.  They will either not let the initial 
user enroll because the algorithm returns bad results if their print doesn't have enough distinguishing points or they 
will enroll the user and allow any person with a similar print to log in.

Also interesting is a programmatic or API based selection of the algorithm strictness.  All devices will have a 
selectable strictness or tolerance with will allow more false positives or restrict it to the point (1/10,000,000) 
where even the original user has a difficult time logging in.  To be useable most algorithms are turned down to 
1/10,000 based on the application developers desire for the user not to be frustrated by false rejections.  

Having tried the glue method and print-dust and other methods to fool the devices I've not seen a successful login even 
on the less sophisticated devices.  But the important make or break from the computer security perspective is the level 
of effort needed to fool the device.  Compared to passwords biometric devices take more effort to fool.

As noted in the previous post retina scanners provide much stronger authentication but are only moderately practical.  

Most computer users have an aversion to biometrics as a means of authentication making widespread use unlikely for at 
least a few more years.

I have yet to see someone fake their way through a print reader but I have to say I'd pay money to see someone make a 
rubber or gummy bear finger and take it to work.

David Cross, CISSP



-----Original Message-----
From: Philip Stortz [mailto:security.madscientist () earthlink net] 
Sent: Thursday, January 29, 2004 1:52 AM
To: vuln-dev () securityfocus com
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

it's easier than that, a researcher has show that it's trivial to make a "fake" fingerprint work, he
did the work several years ago and has since commented that with current technology it could be done
in as little as a few hours.  the really, really sad thing, in most cases you can lift the
"authorized" fingerprint right off the finger print checker!  if not it will still be on the device
or nearby keyboard.  check the cryptogram reprints, it's also an excellent list to subscribe to!
 
the researcher had no problem even fooling readers that claim to be able to detect a "live"
fingerprint, and explains how to fool other types of scanners that people may come up with. 
fingerprints are worthless for authentication, possibly worse than voice as the fingerprints that
need to be faked are persistent on surfaces so that even the cleaning people could do it, not just
someone who works in the same office during normal hours, and a private office offers no protection
in this case.  

basically you lift the fingerprint, scan it, and reproduce it in the type of gelatin
used to make gummy bears (could easily be done with gummy bears, and you could eat the evidence!). 
this worked for optical and conductive sensors, and would likely also work for capacitive sensors
though you might have to dope it or adjust the moisture content.  to make the gummy bear type
gelatin finger, you make a
reverse image with photolithography on a circuit board, which is the way hobbyist make them, and the
supplies are widely available, and use that to form the fake "finger tip" with finger print.  it's a
scam, like many, many security technologies.  

you're probably better off just putting them in a locking desk draw, and i'm sure a lot of tech
savvy people and students are smart enough to figure
it out even if they haven't read the paper, and obviously there are many possible variations, hell,
wax or any number of other
things, and if they aren't conductive, making them so isn't a problem with conductive paint which
again would probably make them fool capacitive or conductive sensor!

note that in the original japanese researchers' paper he was easily able to get nearly 100%
recognition of his fake fingers.  the methods in the previously mention australian paper were
primitive by comparison.  normally, you'd just add your contrast (toner is actually excellent for
this!), gently brush off the extra (it's easy, as a kid i had a toy fingerprint kit), and then apply
a piece of scotch tape.  this tape can then be put directly on the surface of a scanner (clean the
glass afterwards) and scan at the correct scale and a very high resolution.  typically touch up
isn't even necessary though it might help on the tricky ones.  also some of the counter measures
they suggest would not be workable, a pressed finger has little pulse (particularly in some people)
and i don't think you can measure blood sugar or pulse except by transmission of a beam through it
which would make things more bulky, and putting a thin fake fingerprint over your' finger would
still work.  testing for sugar could certainly be fooled just by adding a trace of sugar to the fake
finger, and pulse by gently and rhythmically pressing on it.  i'd really recommend the original
paper, sorry i don't have the link handy.

also the originally used gelatin which is more like that used in "gummy bears" is far thicker and
more tolerant to room temperature and handling (apparently common in japan, and likely Japanese food
stores, or from gummy bears in a pinch), you could make a thin one and glue it to your finger and
most wouldn't notice it without taking a close look.  in fact, since the circuit board is made by
photolithography you could use the tape directly on the sensitized pc board, but sticking it to a
transparency and scanning it gives you more than one chance and it's a lot easier to carry the print
on tape if it's stuck to something, something clear in this case.

note also that in this case, unlike cracking the case on the thumb drive, the culprit can not only
read the data but is also free to modify it!  this could be even more serious than a third party
having the data if it were done in a subtle way that would cause later embarrassment or if it's a
design for something it could completely derail a project and make it very hard to recover the
original correct data, etc.  if there's any code on it they could even conceivably introduce a virus
that gave them access over the web or internal network to everything on the machine and thumb drive.
 

the military has decided long, long ago that the only "secure" biometric system is retina prints,
because no one can see or photograph those other than your' optomologist or someone else who has
your consent or can look INTO your eyes and photograph the blood vessels in the retina which of
course is normally not visible to the outside world.

have you seen "gataca"?  finger prints are a lot easier, and retina scans are simply impractical for
most applications until the equipment becomes a lot cheaper (though i doubt you could fake those
with a real eye, with a glass eye you could, but not cheaply.  

finally, it's silly to use fingerprints in addition to other measures, they just don't add that much
for the cost involved.

m e wrote:
> I'm interested in research regarding hacking USB drives
> unlocked with a thumbprint

m e wrote:
> I'm interested in research regarding hacking USB drives
> unlocked with a thumbprinti