Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Hacking USB Thumbdrives, Thumprint authentication
From: Walter Williams <wbjw () mindspring com>
Date: Mon, 26 Jan 2004 21:42:04 -0500

You will want to verify that the thumbprint is not only hashed, but
morphed either before or after the hash.  This way there is the ability
to periodically change the recording of the thumbprint such as you would
change your password, and for many of the same reasons: if the morph
changes every 30 days, the person who has stollen the hash for cracking
has some random subset of that in which that hash is good.

Most comercial grade biometric devices can't do this, and hacking a
thumb print is rather easy, if you have physical access to the person
(and therefor the laptop).  Requires social engineering skills, that's all.


m e wrote:

I'm interested in research regarding hacking USB drives
unlocked with a thumbprint


Or any thumbprint biometric hacking.

Client is considering USB drives to offload laptop data and at first glance seems like a better solution
than keeping sensitive data on laptops. Encryption software
on laptops requires more password management and software
hassles. The above device has no software drivers to install
so deployment headaches are minimized with (what seems) like
better security (obviously not maximum security) at low
deployment cost.

I'm guessing one can take the flash chip off the device
and plug into regular USB drive. Or rewrite the thumbprint hash.
Or hacks to fool the drivers. Or reverse engineer the
login program to always return "Yes".

mje () secev com



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]