Fingerprint-Protected USB Sticks Cracked Using Open-Source Software

If you are one of the users who rely on fingerprint security systems, you'd better keep an eye on your flash disk drive, because it can be easily cracked into. The fingerprint protection system can be circumvented using an extremely accessible piece of software, called PLscsi.

According to a report issued by security website Heise, the security of the USB sticks built with microcontroller chips from Taiwan's Afa Technology can be easily hijacked by an unauthorized person. The vast majority of the currently available USB drives with fingerprint biometric security are comprised of three parts: the storage memory based on NAND flash, the fingerprint sensor and a microcontroller that acts like a guardian, allowing or denying access to the logical partitions.

By default, the memory controller grants everybody access to the public partition, when the security software is located. The software is taking care of detecting the user's fingerprint then compare it with the results stored into its database. If the authentication is successful, the protected partitions are then mapped as storage drives.

However, the USB sticks that come with USBest UT176 and UT169 controllers designed by Afa Technology, can be tricked into giving access to the private partitions without performing the authentication. There is no need to use the old police-like tricks to collect the authorized print, then swipe it across the USB scanner. Access can be gained using the the PLscsi open-source application, then send the Command Descriptor Block command that replaces the public partition with the private one.

According to Heise, this is not an undocumented back door, but rather a major design flaw in the security software, that uses another command to grant read-only or write access to the partition.

At the moment, there are multiple USB sticks affected by the flaw, including the MyFlash FP1 from A-Data and the 9pay 1GB Secure Card. The latter manufacturer claims that it is aware of the vulnerability and will document the flaw in the user manual.

Until the issues are solved, the USB stick manufacturers that use the above-mentioned controllers advise their customers to use another layer of protection for their data, such as advanced encryption software.

MORE RELATED ARTICLES: CeBIT 2008: MSI Embeds Swarovski Crystals Into Notebook Sony Throws Two New Digital Photo Printers Out Into the Wild HP to Sell Penryn-Powered Pavilion Notebooks Toshiba G910 and G920 Are Different Devices After All Fujitsu's LifeBook P8010 Unveiled Its Secrets on the FCC Testbed Alereon, SunPlusIT to Show off Wireless USB Hard Drive Design CES 2008: Kingmax to Display 2000 MHz DDR3 Memory Modules Medion Rolls Out the “World's First” PND With a Built-In Fingerprint Reader