Re: Hacking USB Thumbdrives, Thumprint authentication

From: Volker Tanger (volker.tanger@discon.de)
Date: Tue Jan 27 2004 - 03:31:34 EST


Greetings!

On Mon, 26 Jan 2004 14:43:12 -0500 "Deras, Angel R./Information Systems"
<derasa@MSKCC.ORG> wrote:
> When we investigated fingerprinting products, two colleagues cracked
> the system by using a paper photocopy of a finger.

There's an even less technical approach presented ~ a year ago by the
German c't magazine (http://www.heise.de/ct/02/11/114/default.shtml),
that worked with a surprising number of the fingerprint readers: first
you clean the reader (with a bit of wet/soapy cloth) and wait for a user
to authenticate. After he left, you simply login by aspirating against
the reader...

Probable explanation: each finger pressed against the reader lets some
greasy residue left behind - in the form of a fingerprint. By aspirating
water vapor condenses (preferrably) at the non-greasy parts (fat and
water don't mix) - in the form of a valid fingerprint. Warm breath seems
to confirm the life detection - et volia!

Scary - but seemed to be sufficient for a number of devices...
:-(

Volker Tanger
ITK-Security

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT