Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Hacking USB Thumbdrives, Thumprint authentication
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 27 Jan 2004 09:57:02 -0500

Vulnerability #1 in this scenario?  The thumbprint is still on the drive
from when he last touched it.  Dust the print off, scan it, print it and
continue from there.  Some of the fingerprint readers can be triggered just
by cupping your hands around them and breathing on them, causing the print
to fog (and be read).

-----Original Message-----
From: m e [mailto:mje () list intersec com] 
Sent: Tuesday, January 27, 2004 8:58 AM
To: pen-test () securityfocus com
Subject: Re: Hacking USB Thumbdrives, Thumprint authentication

<AE503E4425AA90459FDD5066BCE87E9901DD8B84 () smskpexmbx1 mskcc ro

When we investigated fingerprinting products, two colleagues cracked 
the system by using a paper photocopy of a finger.  They 
placed it on 
the =66ingerprinting pad and pressed it with another finger 
to provide 
the heat that the pad needs to detect.  I was incredulous of their 
account, but after reading the Putte source below, this sounds 

very cool. this i'll try and let you know.

please devil's advocate the following argument.

We are not trying to build a cruise missle to kill a fly.
We want 50% security control that 100% of the people use, not 
100% security control that 50% of the people use.

I can't see a threat scenario where wife copies sales guys 
thumbprint on gummy bear while sales guy is sleeping to get 
a peek at his USB drive. Yes it may happen once a year, but 
chances are they will lose USB device first.

Real vulnerability is sales guy loses USB drive, and Joe 
Six-Pack picks it up and brings it home to his kid. Or leaves 
USB drive at customer site and customer gets curious and 
tries to look at it.

So what are the vulnerabilities in this scenario?



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]