Welcome

Conclusion

The last few paragraphs may have left you with the impression that while I couldn't crack the final version of the stick, I still think it's a pile of insecure rubbish. It may then come to you as a surprise that I actually think this stick is quite usable to store secret or private documents on it. Security isn't a black-and-white matter: everything that's protected can be cracked one way or another. The idea of security is to make it more expensive to crack the protection than it is to obtain the secured data another way. When looked at it this way, it becomes apparent that some quite big secrets can be stored inside the BioSlimDisk before it gets interesting to crack it.

Another good thing is that when I informed Ritech about the loop-hole allowing just one latent fingerprint to unlock the complete stick, Ritech mailed me back that they modified their firmware to use multiple strings of private data, one for each enrolled fingerprint. The new firmware should be available at the end of October 2007. I have to say that has to be the quickest response to a vulnerability I've seen since I began cracking USB-sticks.

All in all: I think the BioSlimDisk Signature is a good way to store your private or secret data. Just make sure to swipe your finger over the sensor after use, as indicated in the manual, and don't use it to store any nuclear secrets.

« Prev 5 

14 comments

Rena wrote at 4 Aug 2013, 8.38:

Interesting, you say you were able to read (and presumably write) the desoldered NAND, and the firmware was stored on it in plain text? That sounds like a fairly large hole... otherwise, it's nice to hear the vendor takes security seriously, but sounds like they need to up the physical security, so it's not so easy to break open the stick without ruining it, and just connect the reader to a PC and extract the secret strings (even if you need fingers to do that).

Peter wrote at 10 Jan 2011, 19.00:

Nice reading. Could you please provide some more info about NAND reader hardware and software.

Simon wrote at 17 Apr 2009, 10.54:

Hi! I was wondering whether you could provide any information on your 'NAND Reader' ? Thanks!

joed wrote at 5 Oct 2008, 6.43:

whats the unit cost?

usb_adam wrote at 10 Sep 2008, 22.01:

Well, after reading tweakers.net and over here in the beginning of this year. I have then decided to get one myself. My comments are: 1) user friendliness (way so easy to use) 2) biometrics (modern technology, I'm happy to have my one keys naturally) 2) dual authentication (I couldn't find others... "none") 3) quality (nice special coating, you know what I mean when you have one and light weighted too) 4) hardware encryption (thought it's AES 128-bit, it's good enough with its additional amazing features) cheers

Sprite_tm wrote at 24 Aug 2008, 10.45:

Rumpt: I just re-read my docs and I call bullshit. The UPEK-sensor has two ways of storing data alongside the fingerprint: the public data (which is readable at all times) and the payload (which is only revealed when the sensor detects the correct fingerprint). With PTListAllFingers, you can get only the public data, which is worthless if your goal is to unlock the data on the NAND: you'll need the payload for that.

Sprite_tm wrote at 24 Aug 2008, 10.27:

Rumpt/BioFan: Are you absolutely sure that PTListAllFingers works on the BioSlimDisks UPEK-sensor too? Iirc, the docs I found for that device had no way to get to the application data aside from first entering the right fingerprint.

Rumpt wrote at 24 Aug 2008, 3.03:

The author stop short of telling the whole story. All he needs is small step forward which he can create a general Signature hacking too which uses only an 8-bit processor with 2 UARTs. In Signature, PIC is connected to UPEK processor by UART. First you need to monitor the signals by oscillocope on the exposed PINs. Next you choose a processor(A) with 2 UARTs. Cut the PIC connection to UPEK processor which can be done without any effort. Next connect UART1 of processor A to PIC and UART2 of processor A to UPEK processor through the exposed PINs that were cut earlier. Send PTListAllFingers command to UPEK processor via UART2 to retrive private data. Then do replay attack via UART1 to PIC processor. You will get all data in the NAND flash intact. The C code that we had written in Processor A is less than 100 lines. It took us less than 5 hours for the first effort. You can use this generic code to crack the remaining Signature. Time including open up the casing and hacking is about 15 minutes. Therefore there is no security in this device. In addition, there are 2 easier ways to hack this device too.

BioFan wrote at 18 Jul 2008, 7.36:

You can retrieve UPEK-chipset's 'private data storage' by PT ListAllFingers. So it's still a piece of cake to hack. You can come out with a generic hacking tool which allow you to hack automatically

NdK wrote at 11 Jun 2008, 8.54:

Good job! Some interesting techniques to crack PICs (and others "secure" uC) have been used by Ross Anderson. You can find'em at: http://www.cl.cam.ac.uk/~rja14/ (search for "microcontroller" or "low cost attacks on tamper-resistant devices", about half page down). If the opponent is really determined, a PIC will reveal its EEPROM contents in 10min to 10hr. So better not trust that device for secrets that have to "live" more than a day or two... if enough money is involved.

Good wrote at 13 Nov 2007, 9.36:

Wonderful job. Anymore coming up??

The_Incredible wrote at 1 Nov 2007, 16.06:

Good job finding such portable usb fingerprint stick. With multiple fingerprint entry its way cool! Wonderful stick is my comment. :)

nemesis wrote at 1 Nov 2007, 2.13:

Very very nice article! Finally, you found a secure stick out there! Good work!

JoeJoe wrote at 31 Oct 2007, 15.49:

Hooray! You've returned with a nicely written article :) Well done!.. (The captcha's are rather difficult, could you perhaps make an audible alternative?)

Leave a comment:

Your name:

What does this picture say?
Sorry, this is a captcha

Your comment:


© 2006-2022 Sprite_tm - Contact