Vulnerability Development mailing list archives
RE: Hacking USB Thumbdrives, Thumprint authentication
From: <David.Cross () ngc com>
Date: Tue, 3 Feb 2004 13:22:15 -0700
I've been working with fingerprint authentication devices for over 9 years now. The basis for the research quoted on cracking these devices is weak. Is it possible to devise a way to fool fingerprint readers?... given enough time, gummy bears and glue? It may be possible but having tested the devices over a number of years I can say that it is very difficult. By the time a person was able to do lithography and form a "gummy finger" of some type their password could have been stolen hundreds of times over by a hardware key-logger or socially engineered. Also it would be fair to note that some newer thumb print devices read ridges under the surface of the skin. Other devices read temperature as well as the print itself. Silicon sensors register wetness as a factor as well by returning a bad result if the print is not moist or is too moist. (not the $65 readers) Also those serious about finger print biometric systems will use a combination of pin and print or smart card and print like the Precise Biometrics (TM) device. Other models of print reading devices go further with an on-card certificate on smart media combined with a finger print. Beyond pin's and prints other systems register 10 prints and pick one randomly or select two randomly and the user must supply prints from the requested fingers. All of these have/know systems are more secure than the "have" systems where you only present what you have physically. Any secure system will combine "have" and "know" methods for truer authentication. Also worthy of note is that the easiest way to authenticate to some user's account is to find a user with a true whorl print where there are no distinguishing starts and stops in the lines of the print or where the print is pure loop with no minutia. This allows someone with a similar print to log in nearly every time. Most print scanners use end-point comparison and where there are no end points many of the algorithms break down. They will either not let the initial user enroll because the algorithm returns bad results if their print doesn't have enough distinguishing points or they will enroll the user and allow any person with a similar print to log in. Also interesting is a programmatic or API based selection of the algorithm strictness. All devices will have a selectable strictness or tolerance with will allow more false positives or restrict it to the point (1/10,000,000) where even the original user has a difficult time logging in. To be useable most algorithms are turned down to 1/10,000 based on the application developers desire for the user not to be frustrated by false rejections. Having tried the glue method and print-dust and other methods to fool the devices I've not seen a successful login even on the less sophisticated devices. But the important make or break from the computer security perspective is the level of effort needed to fool the device. Compared to passwords biometric devices take more effort to fool. As noted in the previous post retina scanners provide much stronger authentication but are only moderately practical. Most computer users have an aversion to biometrics as a means of authentication making widespread use unlikely for at least a few more years. I have yet to see someone fake their way through a print reader but I have to say I'd pay money to see someone make a rubber or gummy bear finger and take it to work. David Cross, CISSP -----Original Message----- From: Philip Stortz [mailto:security.madscientist () earthlink net] Sent: Thursday, January 29, 2004 1:52 AM To: vuln-dev () securityfocus com Subject: Re: Hacking USB Thumbdrives, Thumprint authentication it's easier than that, a researcher has show that it's trivial to make a "fake" fingerprint work, he did the work several years ago and has since commented that with current technology it could be done in as little as a few hours. the really, really sad thing, in most cases you can lift the "authorized" fingerprint right off the finger print checker! if not it will still be on the device or nearby keyboard. check the cryptogram reprints, it's also an excellent list to subscribe to! the researcher had no problem even fooling readers that claim to be able to detect a "live" fingerprint, and explains how to fool other types of scanners that people may come up with. fingerprints are worthless for authentication, possibly worse than voice as the fingerprints that need to be faked are persistent on surfaces so that even the cleaning people could do it, not just someone who works in the same office during normal hours, and a private office offers no protection in this case. basically you lift the fingerprint, scan it, and reproduce it in the type of gelatin used to make gummy bears (could easily be done with gummy bears, and you could eat the evidence!). this worked for optical and conductive sensors, and would likely also work for capacitive sensors though you might have to dope it or adjust the moisture content. to make the gummy bear type gelatin finger, you make a reverse image with photolithography on a circuit board, which is the way hobbyist make them, and the supplies are widely available, and use that to form the fake "finger tip" with finger print. it's a scam, like many, many security technologies. you're probably better off just putting them in a locking desk draw, and i'm sure a lot of tech savvy people and students are smart enough to figure it out even if they haven't read the paper, and obviously there are many possible variations, hell, wax or any number of other things, and if they aren't conductive, making them so isn't a problem with conductive paint which again would probably make them fool capacitive or conductive sensor! note that in the original japanese researchers' paper he was easily able to get nearly 100% recognition of his fake fingers. the methods in the previously mention australian paper were primitive by comparison. normally, you'd just add your contrast (toner is actually excellent for this!), gently brush off the extra (it's easy, as a kid i had a toy fingerprint kit), and then apply a piece of scotch tape. this tape can then be put directly on the surface of a scanner (clean the glass afterwards) and scan at the correct scale and a very high resolution. typically touch up isn't even necessary though it might help on the tricky ones. also some of the counter measures they suggest would not be workable, a pressed finger has little pulse (particularly in some people) and i don't think you can measure blood sugar or pulse except by transmission of a beam through it which would make things more bulky, and putting a thin fake fingerprint over your' finger would still work. testing for sugar could certainly be fooled just by adding a trace of sugar to the fake finger, and pulse by gently and rhythmically pressing on it. i'd really recommend the original paper, sorry i don't have the link handy. also the originally used gelatin which is more like that used in "gummy bears" is far thicker and more tolerant to room temperature and handling (apparently common in japan, and likely Japanese food stores, or from gummy bears in a pinch), you could make a thin one and glue it to your finger and most wouldn't notice it without taking a close look. in fact, since the circuit board is made by photolithography you could use the tape directly on the sensitized pc board, but sticking it to a transparency and scanning it gives you more than one chance and it's a lot easier to carry the print on tape if it's stuck to something, something clear in this case. note also that in this case, unlike cracking the case on the thumb drive, the culprit can not only read the data but is also free to modify it! this could be even more serious than a third party having the data if it were done in a subtle way that would cause later embarrassment or if it's a design for something it could completely derail a project and make it very hard to recover the original correct data, etc. if there's any code on it they could even conceivably introduce a virus that gave them access over the web or internal network to everything on the machine and thumb drive. the military has decided long, long ago that the only "secure" biometric system is retina prints, because no one can see or photograph those other than your' optomologist or someone else who has your consent or can look INTO your eyes and photograph the blood vessels in the retina which of course is normally not visible to the outside world. have you seen "gataca"? finger prints are a lot easier, and retina scans are simply impractical for most applications until the equipment becomes a lot cheaper (though i doubt you could fake those with a real eye, with a glass eye you could, but not cheaply. finally, it's silly to use fingerprints in addition to other measures, they just don't add that much for the cost involved. m e wrote:
I'm interested in research regarding hacking USB drives unlocked with a thumbprint
m e wrote:
I'm interested in research regarding hacking USB drives unlocked with a thumbprinti
Current thread:
- RE: Hacking USB Thumbdrives, Thumprint authentication David.Cross (Feb 03)
- Re: Hacking USB Thumbdrives, Thumprint authentication Kurt Seifried (Feb 05)
- <Possible follow-ups>
- RE: Hacking USB Thumbdrives, Thumprint authentication David.Cross (Feb 06)
- Re: Hacking USB Thumbdrives, Thumprint authentication Adeel Hussain (Feb 09)