Tweakers.net recently sent me a BioSlimDisk Signature, a new product from Ritech. Ritech is a manufacturer of fingerprint-secured digital devices, and their BioSlimDisk-line consists of USB-sticks in various sizes, which all require the owners fingerprint to get access to the data. In contrast with previous incarnations of the BioSlimDisk the BioSlimDisk Signature encrypts its data with an industrial-strength AES-128-encryption-scheme. That's a nice improvement: the previous incarnations were said to be only protected by a proprietary 'encryption'-system, which didn't seem to do much more than to swap the locations of the sectors around. With the AES-encryption, this little USB-stick has the potential to be the first truely secure USB-disk I have reviewed. Will this stick live up to its specs? We'll see.
This is what I received: the disk itself plus the cap which protects the fingerprint sensor and the USB-connector, an USB-extension cord and a lanyard to hang the stick around your neck. No disk with software is needed: one of the nice things about the BioSlimDisk is that it requires no cooperation from the OS to do its job, making it completely OS-independent.
Inspecting the stick a bit closer, a security risk became obvious rightaway:
when you pick up the stick, you'll leave your fingerprints all over it: on
the casing as well as on the sensor itself. This would be vulnerability because one
could use that to lift a fingerprint and use that to unlock the stick. In practice,
though, measures have been taken against that: while the rubberized exterior of
the stick may look like it preserves fingerprints well, an experiment with a
jar and some superglue actually proved the fingerprints on the casing much more
difficult to lift than on an ordinary piece of plastic. The fingerprint-sensor
itself still is sensitive to lifting however;
while the user manual usually advises to wipe the sensor with your finger after using it,
I can see a lot of users forgetting about that. Luckily you can, in the best case
scenario, only lift one fingerprint off the sensor, while the stick needs two to
While I didn't receive a manual with the stick, its usage isn't too hard to figure out, especially if you're already familiar with previous BioSlimDisks: there are 3 leds and a sliding switch. In the normal position, the stick won't do much unless you show it the fingers it's familiar with. In contrast with earlier BioSlimDisks, you'll have to show this stick two of your fingerprints. This means an attacker has to lift two fingerprints off the stick if he wants to gain access by imitating the fingers of the user.
After that the stick will announce its presence to the computer it's connected to, and for all intents and purposes behaves itself like a standard USB-stick while it's plugged in. In the 'enroll'-mode, the user can enter up to two administrator-fingerprints and five user-fingerprints into the stick. The administrator-fingerprints will grant access to the enrollment of new fingerprints, while the user-fingerprints will just allow access to the on-disk data.
1 Next »