SecureIDE with Fingerprint Reader: Email from company..

Discussion in 'Computer Security' started by ChaosBlizzard, Nov 11, 2004.

  1. I received this email from the company:

    "Thanks for the link. If USB2.0 isn't sufficient, then a firewire a, b
    maybe of interest. A SecureIDE with fingerprint implementation is a
    tough one as extra circuit and firmware will be involved. End user might
    have difficulty in installing the product correctly thus completely wipe
    out the entire margin we will be commending. More, a $250-300 is a tough
    buy decision and isn't a volume based pricing policy. Beside, we are not
    so sure about the corporate acceptance of the fingerprint technology
    especially with its major weakness of the two output states
    (True/False). One can easily fake the output states thus completely
    bypass the fingerprint authentication process. I'd like to share your
    thoughts on this."


    Is he right about fingerprint's being so easy to bypass?
    He obviously wants a response.. So I will see what anyone here would like to
    say.

    Thanks!
     
    ChaosBlizzard, Nov 11, 2004
    #1
    1. Advertising

  2. If the fingerprint reader doesn't actually read the depth and reads only the
    ridge pattern then it is incredibly easy to fake. The newer systems often do
    read depth, but be careful what you buy.

    Here's a procedure that I read for fooling the reader:

    Materials:
    Digital Camera
    OHT Sheet (book shop)
    UV-sensitive printed circuit board (electronics store)

    1. Get your victim's fingerprint on something. This could be done as easily
    as inviting him to dinner and not washing his glass afterwards. Curved
    surfaces will create dstortion though, so you're better off with a flat one
    if possible.

    2. Put the object in a partially sealed box and burn superglue below it. The
    fumes will bind to the grease of the fingerprint and create a clear image.

    3. Take a digital photo of the image, turn it into an image with a white
    fingerprint and black background with clear contrast using image editing
    software.

    4. Print in varying sizes on an overhead transparency sheet. Compare to the
    original and pick the closest size.

    5. Place the OHT sheet over the UV sensitive printed circuit board so that
    the size you picked is completely on it.

    6. Expose to UV light for a suitable period.

    7. Remove the OHT sheet. The ridges of the fingerprint should be etched into
    the board (negative to the ridges of the actual finger)

    8. Pour gel or rubber on the PCB and you should get an accurate copy of
    their fingerprint that you can keep indefinitely.

    I've never tried it so I don't know for sure how well it works.

    "ChaosBlizzard" <ChaosBlizzard@no_spam_*hotmail*.com> wrote in message
    news:2ECkd.3310$...
    > I received this email from the company:
    >
    > "Thanks for the link. If USB2.0 isn't sufficient, then a firewire a, b
    > maybe of interest. A SecureIDE with fingerprint implementation is a
    > tough one as extra circuit and firmware will be involved. End user might
    > have difficulty in installing the product correctly thus completely wipe
    > out the entire margin we will be commending. More, a $250-300 is a tough
    > buy decision and isn't a volume based pricing policy. Beside, we are not
    > so sure about the corporate acceptance of the fingerprint technology
    > especially with its major weakness of the two output states
    > (True/False). One can easily fake the output states thus completely
    > bypass the fingerprint authentication process. I'd like to share your
    > thoughts on this."
    >
    >
    > Is he right about fingerprint's being so easy to bypass?
    > He obviously wants a response.. So I will see what anyone here would like

    to
    > say.
    >
    > Thanks!
    >
    >
     
    Timothy Goddard, Nov 11, 2004
    #2
    1. Advertising

  3. ChaosBlizzard

    nemo outis Guest

    In article <2ECkd.3310$>, "ChaosBlizzard" <ChaosBlizzard@no_spam_*hotmail*.com> wrote:
    ...snip...
    >Is he right about fingerprint's being so easy to bypass?
    >He obviously wants a response.. So I will see what anyone here would like to
    >say.
    >
    >Thanks!


    Yes, fingerprint IDing is (often) easy to bypass.

    Aside from the brute force (but still very effective)
    method of faking the fingerprint itself there is another
    alternative.

    Most fingerprint readers use astoundingly primitive technology.
    For instance, many are USB but there is NO authentication of the
    fingerprint reader to the computer or vice versa. Moreover, the
    communication channel is usually not encrypted - you need only
    learn the transmission format.

    This leads to all the standard exploits, such as MITM, replay,
    etc., etc.

    Regards,
     
    nemo outis, Nov 12, 2004
    #3
  4. Yeah, I did tell them they need to use encryption for the device itself.
    The fingerprint need's to be sent from the reader to the system encrypted.
    I already discussed that problem with them. I also told them if they used a
    reader that read depth as well it would enhance it's accuracy. People
    wouldn't be able to use tape/powder to fake it.

    <nemo (nemo outis)> wrote in message
    news:XjTkd.192137$Pl.33269@pd7tw1no...
    > In article <2ECkd.3310$>, "ChaosBlizzard"

    <ChaosBlizzard@no_spam_*hotmail*.com> wrote:
    > ..snip...
    > >Is he right about fingerprint's being so easy to bypass?
    > >He obviously wants a response.. So I will see what anyone here would like

    to
    > >say.
    > >
    > >Thanks!

    >
    > Yes, fingerprint IDing is (often) easy to bypass.
    >
    > Aside from the brute force (but still very effective)
    > method of faking the fingerprint itself there is another
    > alternative.
    >
    > Most fingerprint readers use astoundingly primitive technology.
    > For instance, many are USB but there is NO authentication of the
    > fingerprint reader to the computer or vice versa. Moreover, the
    > communication channel is usually not encrypted - you need only
    > learn the transmission format.
    >
    > This leads to all the standard exploits, such as MITM, replay,
    > etc., etc.
    >
    > Regards,
    >
    >
    >
    >
     
    ChaosBlizzard, Nov 14, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Carlosss

    IBM usb fingerprint reader

    Carlosss, Aug 25, 2005, in forum: Computer Security
    Replies:
    3
    Views:
    680
    Winged
    Aug 25, 2005
  2. =?Utf-8?B?Q2hyaXMgTHV0aGVy?=

    Fingerprint reader

    =?Utf-8?B?Q2hyaXMgTHV0aGVy?=, May 13, 2005, in forum: Windows 64bit
    Replies:
    7
    Views:
    886
  3. =?Utf-8?B?UGljaGNv?=

    Fingerprint reader in Win XP64 works?

    =?Utf-8?B?UGljaGNv?=, Jul 26, 2005, in forum: Windows 64bit
    Replies:
    3
    Views:
    459
  4. =?Utf-8?B?TWljaGVsbGUgQWxsZW4=?=

    Fingerprint Reader Drivers

    =?Utf-8?B?TWljaGVsbGUgQWxsZW4=?=, Nov 27, 2005, in forum: Windows 64bit
    Replies:
    3
    Views:
    341
    Andre Da Costa [Extended64]
    Nov 27, 2005
  5. =?Utf-8?B?T3Jpb25zVG95?=

    Fingerprint Reader

    =?Utf-8?B?T3Jpb25zVG95?=, Jan 8, 2006, in forum: Windows 64bit
    Replies:
    6
    Views:
    354
    Randy
    Jan 9, 2006
Loading...

Share This Page