Re: Hacking USB Thumbdrives, Thumprint authentication

[Harlan Carvey <keydet89 () yahoo com>]

There were some articles on SF a bit ago, referring to
the use of household kitchen items (gummy bears) to
"fool" the thumbprint biometric devices.  

My own research about 2 yrs ago showed that while the
thumbprint scanners worked well for local
authentication, they did nothing to protect a system
from being contacted remotely.  If a weak admin (or
any user, for that matter) password is in place, then
the biometric does no good whatsoever. 

Also, there are ways to cause the biometric device to
"malfunction", to the point that the user is
frustrated.  For instance, unseat the connection to
the back of the machine, or break off a pin, or put a
smug on the reader...these will cause enough problems
with the device that the user will grow tired of
dealing with it.

Remember, the thumbprint biometric scanners are not so
much for security, but more for convenience...users
don't often forget their thumbs, whereas they may
forget a password.

> I'm interested in research regarding hacking USB
> drives
> unlocked with a thumbprint
>
> http://www.thumbdrive.com/prd_info.htm
>
> Or any thumbprint biometric hacking.
>
> Client is considering USB drives to offload laptop
> data 
> and at first glance seems like a better solution
> than keeping sensitive data on laptops. Encryption
> software
> on laptops requires more password management and
> software
> hassles. The above device has no software drivers to
> install
> so deployment headaches are minimized with (what
> seems) like
> better security (obviously not maximum security) at
> low
> deployment cost.
>
> I'm guessing one can take the flash chip off the
> device
> and plug into regular USB drive. Or rewrite the
> thumbprint hash.
> Or hacks to fool the drivers. Or reverse engineer
> the
> login program to always return "Yes".
>
> Thanks,
> dreez
> mje () secev com