Do you like my hacking? If so, please consider leaving something in the
Fediverse (Mastodon etc): @Sprite_tm@social. spritesmods.com
Both sticks aren't that bad when looked at from an usability standpoint, but fail at the point of security. Is there still any use for them, then? Well, perhaps as a gimmick: having a fingerprint-scanning device on you at least gives you the opportunity to start a conversation about it: the 007-like topic of biometrics always is an interesting one. For real security, the only thing that can be done safely with the stick is lock your Windows-session: a hacker can't change the software to a hacked version as long as your computer is locked. Unfortunately, if you want any non-snake-oil type of security, that's about all these sticks are good for.
I would like to thank the people from usb-secured.com for their help. First of all, they provided the sticks to us in the knowledge that their security might be broken by me. As soon as I told them that had indeed happened, and confirmed it by sending them the 'secure' contents of a second pair of USB-sticks, they acted very sportsmanlike: 'The sticks were meant to be offered to businesses and resellers. Ofcourse, we won't offer them till everything is order... which unfortunately doesn't seem to be doable in the short term. Potential customers will be informed of the (im)possibilities of the product. We'll take the advice you've given us to heart to be able to create a better-secured stick in the future.' They also told us they would put up a summary of the findings in this article on their webpage shortly.
« Prev 8
10 commentsGreat great great article! Nice hacking job but even better way to explain why it was possible and how a system should be designed to stop such attacks... Congrats!
Have you looked at the U3 based sticks? They seem to be a tad more secure, although they don't offer finger-print security - Their USB chipset handles comparison of the hashed passwords as well as keeping track of number-of-attempts.
After reading your experiment for the 2nd device, it seems that the key is coupled with the fingerprint thus you are only able to retrieve garbage. Would this mean that even spoofing a valid fingerprint signal only can gain you access but data is still secured?
You mentioned something about using the key to encrypt the data, rather than storing the password on the system. Would it be more secure if it used the key to encrypt ALL the data - including program files, but in order to even use the key the biometrics would have to be accepted? Or vice versa - or even a triple-level process - you enter a key that decrypts the biometric process, which, in turn decrypts the next key. Granted, nothing is 100% secure, but I think that /should/ be a little more secure?
It's well possible to derive cryptographic key from fingerprint. But that will not help security much. Biometric security is based on knowledge that biometric data was indeed read from real person, not faked somewhere in transit. And when you derive cryptograpic keys from fingerprints, attacker can get the relevant fingerprint easily (e.g. from something he knows you touched) and derive the exact same key using his own software. Final outcome is that biometric scanners are useful, but only in some very limited scenarios, and encrypting USB sticks isn't one of them.
Great article, rely interesting and fun reading. Reminds me of an old teacher who said –the only way to keep your data safe is to turn it off and locking it into the safe. In my opinion he was wrong there are safecrackers everywhere ;) There is ways to generate a solid key from a fingerprint. That involves using an algorithm to get the positions of certain futures of the print. As I understand it, the problem is that swipe print readers have problem using these algorithms because they get a low quality copy of the print. By the way there were some Japanese scientists who successfully copied real fingerprints using a PCB and gelatin (is that the right word in English?) which would work on all fingerprint readers. The only problem is you need to get the real fingerprint, but that you can get from his beer bottle or where ever ;)
What's sad is the contents of your Tip Jar, These companies pay pathetic developers large sums to design these unsecure devices and you break them with a debugger. Everyone, Donate to this guy... lol
Jeroen, nice article. I read it on tweakers.net in dutch. I think you are an excellent hacker. Your foundings can be useful for many security companies. I find it important for every of those sticks that claime to be failure proof, that a hacker has verified it. Thank you for your time.
Excelent artical
I love your articles..... very usefull info... thanxx