Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Hacking USB Thumbdrives, Thumprint authentication
From: "Craig Pringle" <craig () pringle net nz>
Date: Mon, 26 Jan 2004 16:45:37 +1300 (NZDT)

I suspect that this device would be vulnerable to Dr. Tsutomu Matsumoto's
"Gummy Finger" attack as described here (the article is talking about
defeating a different type of device, but the gummy finger bit probably
applies):
http://www.bromba.com/knowhow/idm4vul.htm

Dr. Matsumoto's full presentation is a good read on the subject and is
available here:http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf

(If you actually try this I would be interested to hear how you get on!)

HTH,

Craig


I'm interested in research regarding hacking USB drives
unlocked with a thumbprint

http://www.thumbdrive.com/prd_info.htm

Or any thumbprint biometric hacking.

Client is considering USB drives to offload laptop data
and at first glance seems like a better solution
than keeping sensitive data on laptops. Encryption software
on laptops requires more password management and software
hassles. The above device has no software drivers to install
so deployment headaches are minimized with (what seems) like
better security (obviously not maximum security) at low
deployment cost.

I'm guessing one can take the flash chip off the device
and plug into regular USB drive. Or rewrite the thumbprint hash.
Or hacks to fool the drivers. Or reverse engineer the
login program to always return "Yes".

Thanks,
dreez
mje () secev com





---------------------------------------------------------------------------
---------------------------------------------------------------------------->
+*




---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]