RE: Hacking USB Thumbdrives, Thumprint authentication

[markus-1977 () gmx net]

Hey,

> I've been working with fingerprint authentication devices for over 9 years
now.  The basis for the research quoted on cracking these 
> devices is weak.  Is it possible to devise a way to fool fingerprint
readers?... given enough time, gummy bears and glue?  It may be 
> possible but having tested the devices over a number of years I can say
that it is very difficult.  By the time a person was able to do 
> lithography and form a "gummy finger" of some type their password could
have been stolen hundreds of times over by a hardware 
> key-logger or socially engineered.

There are a few things that are very disturbing about Biometrics (even with
a better reader), though:

a) biometrics are no secrets (I leave my fingerprint everywhere); retinas
are readable from some distance... where do you get a new thumb-print, when it
gets compromised? Yes, for good security it should be "know" and "have", but
look at what's going on in practice: They want to introduce fingerprints in
passports - why not have a pin as well?

b) security depends a lot on the reader, i.e. the "life-detection". Just
what will happen when all the countries agree on having fingerprints in the
passports. Will the readers in some third-world countries be as secure as in the
US/EU? What will happen when somebody can fake my entry into some country? Or
assume it will be used for payment or something like that... Will all the
readers be secure enough to detect gummy fingers? A pin-pad on the other hand
is relatively simple...

c) Biometrics is always "fuzzy comparison". If I have a pin, it's either
correct or not. If the PIN/password is difficult enough, I can encrypt stuff
with it. If only a hash is stored, then the device will not "know" the correct
password to decrypt my secrets but can verify that the user knows it.
Biometrics on the other hand always compares to a reference stored somewhere. The
reference is in the clear, because (to the best of my knowledge) there is no
hash-function out there that will hash your fuzzy fingerprint to a constant
value is it accepts and to something random if it rejects. That means that data
on the Thumbdrives is most likely not "encrypted" with your fingerprint. Most
likely it will make some comparison and then allow or deny access. There is
some work in progress to extract keys from fingerprints, though. However,
it'll take some time until we will find this in products...

Markus

-- 
The early bird gets the worm. If you want
something else for breakfast, get up later.

GMX ProMail (250 MB Mailbox, 50 FreeSMS, Virenschutz, 2,99 EUR/Monat...)
jetzt 3 Monate GRATIS + 3x DER SPIEGEL +++ http://www.gmx.net/derspiegel +++