Mar 14 2008

The need for independent verification: Biometric USB sticks

Published by at 1:39 pm under Encryption

Heise Security has revealed that the chipset for a series of biometric USB sticks is basically useless and can be circumscribed in just a few keystrokes in either Windows or Linux. In Windows, you just need to send the stick a single command to bypass the sticks. The process is slightly more difficult in Linux because you have to compile the tool, PLScsi, yourself. This is obviously something only a “very professional user” could do; either that or any IT professional who’s been on the job for more than a couple of years.

First of all, we know ‘security through obscurity’ doesn’t work. The compiled version of PLScsi is already available for Windows, which means I could go to the local grade school and find any number of kids who could run the program. If you take the compiled version of this program out of the picture, I might have to go to the local high school to find someone capable of it. In either case a few quick Google searches would turn up the tools in short order.

Second of all, this is a bad implementation of technology. There is a chance that this was a purposeful back door, but ‘never attribute to malice what can be more adequately explained by stupidity” (Thanks Shane for reminding me of this quote). Someone was either lazy or stupid when they built this chipset, which I find to be much more likely explanations of the problem than any potential backdoor. I’m not going to entirely rule it out though.

If I’m buying a product that is advertised as adequate protection for my files, I want it to do that. I don’t want the manufacturer to tell me to encrypt my files before I place them on the USB stick, since that’s what I purchased the stick for in the first place. Companies can’t be tested to do this for themselves, which is why we need folks lie Heise security, like David Maynor and Robert Graham to test them out. Even companies with the best intentions make mistakes, and there’s more than enough companies that are just snake oils salesman trying to make a quick buck. Testing their products keeps the manufacturer honest and protects us from trusting a product that’s just not going to protect us as promised.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “The need for independent verification: Biometric USB sticks”

  1. Vic Fichmanon 17 Mar 2008 at 11:19 am

    Well even when the best intentioned companies do the right thing and present us with a valid and usable solution there’s another danger lurking in the background… the manufacturing process and where the products are assembled.

    Anyone paying attention this last week to CNN couldn’t help but see a front page story about electronic picture frames sold by a Taiwanese manufacturering company to American distributors like Best Buy and other leading retailers. It turns out the Taiwanese company assembly plant was actually in MAINLAND CHINA and an unknown party or parties was adding malicious software that was either crashing computers here or recording keystrokes and sending them on to the would be evil-doers!

    I’ve already warned the Pentagon about the fact all their uniforms are all made in China now… what’s to keep the Chinese from spraying half a binary agent on them… then releasing the other half in the unlikely event of some hostilities between us. Why couldn’t they do the same with electronic components?

    Of course it could just be that I’m a evil minded bastard myself and just naturally think bad things about my potential competitors/enemies. After all they’ve shown on an almost daily basis a willingness to play by no ones rules, not even their own!

    Caveat emptor.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: