RE: Hacking USB Thumbdrives, Thumprint authentication

From: John Deatherage (john@dtiserv2.com)
Date: Mon Jan 26 2004 - 16:39:45 EST

• Next message: Thompson, Jimi: "RE: Pen Test vs. Health Check"
• Previous message: Rob Shein: "RE: Pen Test vs. Health Check"
• In reply to: m e: "Hacking USB Thumbdrives, Thumprint authentication"
• Next in thread: Walter Williams: "Re: Hacking USB Thumbdrives, Thumprint authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Trek doesn't have a product manual up yet for the ThumbDrive touch, but it
does at least support two-factor authentication. For basic three factor
authentication (we're making a best effort here), the "something you have"
would have to be the drive itself. If people leave these stuck in their
laptops, they have to understand that it's like leaving your ATM card
sticking out of the slot. Anyone that knows the setup is looking for your
bio and password can initiate a targeted attack.

After looking at their webpage, I was reminded that these things are
bootable devices. Just a reminder to turn off all but local HD in boot
order in BIOS and implement a BIOS password. Before deploying these at a
client, I would make sure that something like this in place... unless you
want another pen tester to use the drives against them ;)

-----Original Message-----
From: m e [mailto:mje@list.intersec.com]
Sent: Saturday, January 24, 2004 9:31 PM
To: pen-test@securityfocus.com
Subject: Hacking USB Thumbdrives, Thumprint authentication

I'm interested in research regarding hacking USB drives
unlocked with a thumbprint

http://www.thumbdrive.com/prd_info.htm

Or any thumbprint biometric hacking.

Client is considering USB drives to offload laptop data
and at first glance seems like a better solution
than keeping sensitive data on laptops. Encryption software
on laptops requires more password management and software
hassles. The above device has no software drivers to install
so deployment headaches are minimized with (what seems) like
better security (obviously not maximum security) at low
deployment cost.

I'm guessing one can take the flash chip off the device
and plug into regular USB drive. Or rewrite the thumbprint hash.
Or hacks to fool the drivers. Or reverse engineer the
login program to always return "Yes".

Thanks,
dreez
mje@secev.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: Thompson, Jimi: "RE: Pen Test vs. Health Check"
• Previous message: Rob Shein: "RE: Pen Test vs. Health Check"
• In reply to: m e: "Hacking USB Thumbdrives, Thumprint authentication"
• Next in thread: Walter Williams: "Re: Hacking USB Thumbdrives, Thumprint authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT