Mar 14 2008
Heise Security has revealed that the chipset for a series of biometric USB sticks is basically useless and can be circumscribed in just a few keystrokes in either Windows or Linux. In Windows, you just need to send the stick a single command to bypass the sticks. The process is slightly more difficult in Linux because you have to compile the tool, PLScsi, yourself. This is obviously something only a “very professional user” could do; either that or any IT professional who’s been on the job for more than a couple of years.
First of all, we know ‘security through obscurity’ doesn’t work. The compiled version of PLScsi is already available for Windows, which means I could go to the local grade school and find any number of kids who could run the program. If you take the compiled version of this program out of the picture, I might have to go to the local high school to find someone capable of it. In either case a few quick Google searches would turn up the tools in short order.
Second of all, this is a bad implementation of technology. There is a chance that this was a purposeful back door, but ‘never attribute to malice what can be more adequately explained by stupidity” (Thanks Shane for reminding me of this quote). Someone was either lazy or stupid when they built this chipset, which I find to be much more likely explanations of the problem than any potential backdoor. I’m not going to entirely rule it out though.
If I’m buying a product that is advertised as adequate protection for my files, I want it to do that. I don’t want the manufacturer to tell me to encrypt my files before I place them on the USB stick, since that’s what I purchased the stick for in the first place. Companies can’t be tested to do this for themselves, which is why we need folks lie Heise security, like David Maynor and Robert Graham to test them out. Even companies with the best intentions make mistakes, and there’s more than enough companies that are just snake oils salesman trying to make a quick buck. Testing their products keeps the manufacturer honest and protects us from trusting a product that’s just not going to protect us as promised.
One Response to “The need for independent verification: Biometric USB sticks”