[33621] in bugtraq
Re: Hacking USB Thumbdrives, Thumprint authentication
daemon@ATHENA.MIT.EDU (Eric 'MightyE' Stevens)
Wed Feb 11 16:24:41 2004
Message-ID: <4028E17E.8040804@mightye.org>
Date: Tue, 10 Feb 2004 08:49:50 -0500
From: "Eric 'MightyE' Stevens" <mightye-removethis-@mightye.org>
MIME-Version: 1.0
To: Navaneetharangan <navaneeth@innsolutions.com>
Cc: markus-1977@gmx.net, bugtraq@securityfocus.com
In-Reply-To: <000801c3ec99$c6b073b0$0802a8c0@innsol4>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Navaneetharangan wrote:
>2) With the arrival of optic based fingerprint scanners, the probability
>of getting authenticated on latent fingerprints (or by using a lifted
>fingerprint) is very minimal.
>
>
This is not true, there has been a fair amount of research done on
creating false finger print pads from latent fingerprints, which mostly
consist of defining the oils left behind with, eg, black printer toner,
capturing a high resolution image of the finger print with a digital
camera or scanner, touching up the image as necessary in a photo editing
suite, printing a negative of the finger print on to transparency, and
burning a "circuit" with ultraviolet light (common in the home
electronics scene). This makes a reusable mold in to which gelatin can
be poured to make a false finger pad which regularly fools fingerprint
scanners since it is of similar consistency to human finger print pads.
The largest covert advantage of the gelatin approach is that the false
pads can be applied almost invisibly over a person's existing finger
pads, and in the event of a panic of the operative, destruction of the
evidence is easy, simply tear off the false pads with your teeth and
consume the gelatin; within seconds there is no more trace as the false
pads completely dissolve.
For more information on this, check out Google:
http://www.google.com/search?q=defeat+fingerprint+scanner+gelatin
>3) And you can use all the ten fingers of yours for authentication; it
>need not always be your thumbprint alone.
>
>
>
This is true, and this increases the effort required on the part of the
covert operative in order to capture a successful identification,
however the underlying problem still exists: once a user's prints are
successfully compromised, they have no opportunity to alter their key
(finger prints). If my password is guessed, I can change it. If my SSH
key is broken, I can change it. If my fingerprints are captured, I have
no such opportunity.
-Eric "MightyE" Stevens
To reply to me, please remove "-removethis-" from my email address.
http://lotgd.net -- Slay a dragon... over lunch!
