Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Hacking USB Thumbdrives, Thumprint authentication
From: "Volker Tanger" <volker.tanger () discon de>
Date: Tue, 27 Jan 2004 09:31:34 +0100


On Mon, 26 Jan 2004 14:43:12 -0500 "Deras, Angel R./Information Systems"
<derasa () MSKCC ORG> wrote:
When we investigated fingerprinting products, two colleagues cracked
the system by using a paper photocopy of a finger.  

There's an even less technical approach presented ~ a year ago by the
German c't magazine (http://www.heise.de/ct/02/11/114/default.shtml),
that worked with a surprising number of the fingerprint readers: first
you clean the reader (with a bit of wet/soapy cloth) and wait for a user
to authenticate. After he left, you simply login by aspirating against
the reader...

Probable explanation: each finger pressed against the reader lets some
greasy residue left behind - in the form of a fingerprint. By aspirating
water vapor condenses (preferrably) at the non-greasy parts (fat and
water don't mix) - in the form of a valid fingerprint. Warm breath seems
to confirm the life detection - et volia!

Scary - but seemed to be sufficient for a number of devices...

Volker Tanger


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]