IDG News Service - Never mind worrying about hackers stealing your password. A security researcher with the Finnish military has shown how they could steal your fingerprint, by taking advantage of an omission in Microsoft Corp.'s Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004.
Although the Fingerprint Reader can prevent unauthorized people from logging onto your PC, Microsoft has not promoted it as a security device, but rather as convenient tool for home users who want a fast way to log onto Web sites without having to remember usernames and passwords. In fact, the Microsoft.com Web site warns that the Fingerprint Reader should not be used to protect sensitive data.
Hoping to understand why Microsoft had included that caveat, a researcher with the Finnish military, Mikko Kiviharju, took a close look at the product. In a paper presented at the Black Hat Europe conference last week, he reported that because the fingerprint image taken by the scanner is not encrypted, it could be stolen by hackers and used to inappropriately log into a computer. Kiviharju's report can be found online (download PDF).
Because the fingerprint image is transferred unencrypted from the Fingerprint Reader to the PC, it could be stolen using a variety of hardware and software technologies, called sniffers, that monitor such traffic, said Kiviharju, a researcher with the Finnish Defense Forces. "The fingerprint that can be sniffed is pretty good quality," he said.
The fingerprint image could either be used to break into a PC or simply be stolen by attackers.
Once the fingerprint image had been sniffed, it could be used by attackers to make it appear as if the victim were authenticating onto a PC or a Web site using the Fingerprint Reader, Kiviharju said. But this type of attack, which is called a replay attack because the fingerprint scan is simply replayed back to the computer, is complex. It also requires that the attacker physically connect a second PC to the computer that is being attacked.
Although neither of these attacks is easy to pull off, they are both greatly simplified by the fact that Microsoft has chosen not to encrypt the fingerprint image, Kiviharju said.
In fact, this is probably the most interesting question raised by the research, because it appears that Microsoft could enable encryption by making some minor changes to the product's firmware, Kiviharju said. "That has baffled some of the experts that have contacted me as well, " he said "It's quite a decent product, but somehow Microsoft has managed to botch it."
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
