Re: Hacking USB Thumbdrives, Thumprint authentication

[Philip Stortz <security.madscientist () earthlink net>]

it's easier than that, a researcher has show that it's trivial to make a "fake" fingerprint work, he
did the work several years ago and has since commented that with current technology it could be done
in as little as a few hours.  the really, really sad thing, in most cases you can lift the
"authorized" fingerprint right off the finger print checker!  if not it will still be on the device
or nearby keyboard.  check the cryptogram reprints, it's also an excellent list to subscribe to!
 
the researcher had no problem even fooling readers that claim to be able to detect a "live"
fingerprint, and explains how to fool other types of scanners that people may come up with. 
fingerprints are worthless for authentication, possibly worse than voice as the fingerprints that
need to be faked are persistent on surfaces so that even the cleaning people could do it, not just
someone who works in the same office during normal hours, and a private office offers no protection
in this case.  

basically you lift the fingerprint, scan it, and reproduce it in the type of gelatin
used to make gummy bears (could easily be done with gummy bears, and you could eat the evidence!). 
this worked for optical and conductive sensors, and would likely also work for capacitive sensors
though you might have to dope it or adjust the moisture content.  to make the gummy bear type
gelatin finger, you make a
reverse image with photolithography on a circuit board, which is the way hobbyist make them, and the
supplies are widely available, and use that to form the fake "finger tip" with finger print.  it's a
scam, like many, many security technologies.  

you're probably better off just putting them in a locking desk draw, and i'm sure a lot of tech
savvy people and students are smart enough to figure
it out even if they haven't read the paper, and obviously there are many possible variations, hell,
wax or any number of other
things, and if they aren't conductive, making them so isn't a problem with conductive paint which
again would probably make them fool capacitive or conductive sensor!

note that in the original japanese researchers' paper he was easily able to get nearly 100%
recognition of his fake fingers.  the methods in the previously mention australian paper were
primitive by comparison.  normally, you'd just add your contrast (toner is actually excellent for
this!), gently brush off the extra (it's easy, as a kid i had a toy fingerprint kit), and then apply
a piece of scotch tape.  this tape can then be put directly on the surface of a scanner (clean the
glass afterwards) and scan at the correct scale and a very high resolution.  typically touch up
isn't even necessary though it might help on the tricky ones.  also some of the counter measures
they suggest would not be workable, a pressed finger has little pulse (particularly in some people)
and i don't think you can measure blood sugar or pulse except by transmission of a beam through it
which would make things more bulky, and putting a thin fake fingerprint over your' finger would
still work.  testing for sugar could certainly be fooled just by adding a trace of sugar to the fake
finger, and pulse by gently and rhythmically pressing on it.  i'd really recommend the original
paper, sorry i don't have the link handy.

also the originally used gelatin which is more like that used in "gummy bears" is far thicker and
more tolerant to room temperature and handling (apparently common in japan, and likely Japanese food
stores, or from gummy bears in a pinch), you could make a thin one and glue it to your finger and
most wouldn't notice it without taking a close look.  in fact, since the circuit board is made by
photolithography you could use the tape directly on the sensitized pc board, but sticking it to a
transparency and scanning it gives you more than one chance and it's a lot easier to carry the print
on tape if it's stuck to something, something clear in this case.

note also that in this case, unlike cracking the case on the thumb drive, the culprit can not only
read the data but is also free to modify it!  this could be even more serious than a third party
having the data if it were done in a subtle way that would cause later embarrassment or if it's a
design for something it could completely derail a project and make it very hard to recover the
original correct data, etc.  if there's any code on it they could even conceivably introduce a virus
that gave them access over the web or internal network to everything on the machine and thumb drive.
 

the military has decided long, long ago that the only "secure" biometric system is retina prints,
because no one can see or photograph those other than your' optomologist or someone else who has
your consent or can look INTO your eyes and photograph the blood vessels in the retina which of
course is normally not visible to the outside world.

have you seen "gataca"?  finger prints are a lot easier, and retina scans are simply impractical for
most applications until the equipment becomes a lot cheaper (though i doubt you could fake those
with a real eye, with a glass eye you could, but not cheaply.  

finally, it's silly to use fingerprints in addition to other measures, they just don't add that much
for the cost involved.

m e wrote:
> I'm interested in research regarding hacking USB drives
> unlocked with a thumbprint

m e wrote:
> I'm interested in research regarding hacking USB drives
> unlocked with a thumbprinti