Do you like my hacking? If so, please consider leaving something in the
Fediverse (Mastodon etc): @Sprite_tm@social. spritesmods.com
The last few paragraphs may have left you with the impression that while I couldn't crack the final version of the stick, I still think it's a pile of insecure rubbish. It may then come to you as a surprise that I actually think this stick is quite usable to store secret or private documents on it. Security isn't a black-and-white matter: everything that's protected can be cracked one way or another. The idea of security is to make it more expensive to crack the protection than it is to obtain the secured data another way. When looked at it this way, it becomes apparent that some quite big secrets can be stored inside the BioSlimDisk before it gets interesting to crack it.
Another good thing is that when I informed Ritech about the loop-hole allowing just one latent fingerprint to unlock the complete stick, Ritech mailed me back that they modified their firmware to use multiple strings of private data, one for each enrolled fingerprint. The new firmware should be available at the end of October 2007. I have to say that has to be the quickest response to a vulnerability I've seen since I began cracking USB-sticks.
All in all: I think the BioSlimDisk Signature is a good way to store your private or secret data. Just make sure to swipe your finger over the sensor after use, as indicated in the manual, and don't use it to store any nuclear secrets.
14 commentsNice reading. Could you please provide some more info about NAND reader hardware and software.
Hi! I was wondering whether you could provide any information on your 'NAND Reader' ? Thanks!
whats the unit cost?
Well, after reading tweakers.net and over here in the beginning of this year. I have then decided to get one myself. My comments are: 1) user friendliness (way so easy to use) 2) biometrics (modern technology, I'm happy to have my one keys naturally) 2) dual authentication (I couldn't find others... "none") 3) quality (nice special coating, you know what I mean when you have one and light weighted too) 4) hardware encryption (thought it's AES 128-bit, it's good enough with its additional amazing features) cheers
Rumpt: I just re-read my docs and I call bullshit. The UPEK-sensor has two ways of storing data alongside the fingerprint: the public data (which is readable at all times) and the payload (which is only revealed when the sensor detects the correct fingerprint). With PTListAllFingers, you can get only the public data, which is worthless if your goal is to unlock the data on the NAND: you'll need the payload for that.
Rumpt/BioFan: Are you absolutely sure that PTListAllFingers works on the BioSlimDisks UPEK-sensor too? Iirc, the docs I found for that device had no way to get to the application data aside from first entering the right fingerprint.
The author stop short of telling the whole story. All he needs is small step forward which he can create a general Signature hacking too which uses only an 8-bit processor with 2 UARTs. In Signature, PIC is connected to UPEK processor by UART. First you need to monitor the signals by oscillocope on the exposed PINs. Next you choose a processor(A) with 2 UARTs. Cut the PIC connection to UPEK processor which can be done without any effort. Next connect UART1 of processor A to PIC and UART2 of processor A to UPEK processor through the exposed PINs that were cut earlier. Send PTListAllFingers command to UPEK processor via UART2 to retrive private data. Then do replay attack via UART1 to PIC processor. You will get all data in the NAND flash intact. The C code that we had written in Processor A is less than 100 lines. It took us less than 5 hours for the first effort. You can use this generic code to crack the remaining Signature. Time including open up the casing and hacking is about 15 minutes. Therefore there is no security in this device. In addition, there are 2 easier ways to hack this device too.
You can retrieve UPEK-chipset's 'private data storage' by PT ListAllFingers. So it's still a piece of cake to hack. You can come out with a generic hacking tool which allow you to hack automatically
Good job! Some interesting techniques to crack PICs (and others "secure" uC) have been used by Ross Anderson. You can find'em at: http://www.cl.cam.ac.uk/~rja14/ (search for "microcontroller" or "low cost attacks on tamper-resistant devices", about half page down). If the opponent is really determined, a PIC will reveal its EEPROM contents in 10min to 10hr. So better not trust that device for secrets that have to "live" more than a day or two... if enough money is involved.
Wonderful job. Anymore coming up??
Good job finding such portable usb fingerprint stick. With multiple fingerprint entry its way cool! Wonderful stick is my comment. :)
Very very nice article! Finally, you found a secure stick out there! Good work!
Hooray! You've returned with a nicely written article :) Well done!.. (The captcha's are rather difficult, could you perhaps make an audible alternative?)
Interesting, you say you were able to read (and presumably write) the desoldered NAND, and the firmware was stored on it in plain text? That sounds like a fairly large hole... otherwise, it's nice to hear the vendor takes security seriously, but sounds like they need to up the physical security, so it's not so easy to break open the stick without ruining it, and just connect the reader to a PC and extract the secret strings (even if you need fingers to do that).