Stacking Fault

USB + Fingerprints = FUN

A couple years ago I had the pleasure of talking with some of the Sony researchers working on the Puppy Fingerprint Identity Token. The idea behind this product is simple: you add a fingerprint scanner to a USB flash drive and viola! secure storage!

I tend to believe that there's a lot of hype surrounding Biometrics these days, but I have no problem with their use as long as users are familiar with the risks that come with modern Biometric technologies. I don't think there's anything wrong with biometric identification as long as it's not the sole authentication mechanism in a secure protocol. Aside from privacy issues of having your fingerprints on file (or trusting that your reader can securely store your fingerprint) you also have relatively high error rates, biometric readers getting faked out by silly-putty fingers and the difficulty of revoking your finger.

But hey... they sure do look cool, don't they? Nothing makes you feel like a character from an Ian Fleming novel like your computer telling you, "Authentication Required : Place Your Finger on the Reader Please."

All kidding aside... Biometric based identity systems have their place in the security ecosystem and hey, if putting your grandma's cookie recipe on a Sony Puppy makes you sleep easier at night, then it's probably worth the extra cash you plunked down for it. But please take a few moments to consider some of the risks (listed below.)

Over the last couple years we've seen a bit of growth in the Biometric-enabled flash drive market. Lexar, one of the more recognizable brands in the space has their TouchGuard (tm) line of JumpDrives with capacities of up to 256Mb (though a recent press release indicates they'll be shipping a 1Gb TouchGuard (tm) JumpDrive soon. Pretec recently announced in a press release on their site they'll be marketing a 4Gb fingerprint-protected USB flash drive.

authentication tokens

But there's also the market for plain 'ol fingerprint scanners. From humble beginnings, there are now more of these things than one can shake a stick at. One of the ones I keep coming back to is the Priva-Tech "cleared" platform. It's more than just a fingerprint scanner, it's a whole infrastructure. If you're an enterprise customer looking for a bit of value-add in terms of manageability and the ability to authenticate against multiple versions of Wintel, this may be the product for you.

On the other hand, you might just be a hobbyist looking to play around with a fingerprint scanner. The Priva product mentioned above is definitely not for you. These devices have become commodity products these days, so maybe searching eBay will get you the best deal. You may want to also look at Atmel's FingerChip line of fingerprint readers.

cool devices

But by far the coolest thing I've seen for hackers and system prototypers to date is the BlackDog. This is a small PowerPC based linux system with an integrated flash drive and fingerprint scanner. When I saw it demonstrated, the system would quick-boot when plugged into a USB port and ask for a fingerprint. After successfully authenticating, it would auto-mount a read-only USB drive with a Wintel X11 server and pop up an X login screen.

Word on their site is you can reprogram the thing to do whatever you want. Though I don't really see Linux as being the solution to every problem out there, the tool-chain is well developed and there are plenty of competent Linux developers available, so this strikes me as one of the applications where Unix / Linux really shines. I can't really tell you what practical application will come of the BlackDog, but I do know that the cost of using a proprietary OS for this product might have proved excessive.

Someone out there is going to find something really cool to do with these things. So if you're a tinkerer... check this one out.

platform support

One of the problems I've seen throughout the biometric-enabled USB device market is the nearly exclusive focus on Wintel or WinCE. Most of the flash drives are configured to export a USB mass storage device after successful authentication, and thanks to that specification being platform independent, it's generall not a problem to use the device. So if you have a pre-configured Puppy or TouchGuard device, you should (in theory) be able to use it with a Mac or Linux system.

On the other hand, advanced features like acting as a secure password vault and training the device to recognize your fingerprint seems to use Wintel-only software.

Pity.

avoiding the risks

I'm not trying to tell you not to use these things... rather... remember that every product has risks, and the guy that's trying to sell you one of these things might be be downplaying them.

• Risk 1 : It Stops Working To be fair, this is a problem with all removable media. Sometimes they fail. One of the selling points of the TouchGuard for instance, is that it stores your passwords in one, fingerprint-protected place. This is great as long as you don't drop the device overboard on a fishing trip. Make sure there's some way to backup the contents of your device lest you risk losing your data.


• Risk 2 : Someone Fakes Your Finger This is more of a problem if you allow your fingerprint reader to be used unattended. Researchers have shown recently that fake fingerprints made of silly-putty are able to fake out many readers out there, so if you happen to see someone fumbling around in their pockets for something that looks positively bogus, maybe you should say something. But hey... we can't all be everywhere all the time. Your drive might get lifted out of your pocket for a few moments and used without your knowledge. If it's only protected by your fingerprint, it's conceivable that a bad guy could lift your fingerprint from that highball glass, craft a fake finger, lift your device and bingo! Granted... if bad guys have to go through this much work to get your grandma's cookie recipe, you've pretty much won. They had to go through a lot of hassle to get something that's not especially valuable (sorry grandma.) But if you're carrying your super-secret marketing plan around on one of these things and there's identifiable monetary loss that could occur if the info was leaked, there's probably a little wisdom in plugging this hole. Many devices come with software that encrypts the contents of drive partitions, directories or individual files. On Mac and Linux platforms, encrypted drive images are relatively easy to implement. Bottom line... multi-factor authentication is a good idea.


• Risk 3 : You Lose Your Finger Don't laugh, it could happen. And it will happen at the worst possible moment. Remember what I said about making backups? This might be another reason why it would be a good idea.

what i would put in the devices

On the off chance that a product manager from Pretec or Lexar are reading this, let me take a few moments to list a couple of features I would like to see in these flash drive products.

• multi-platform support Yes.. I know.. Wintel is the vast majority of the market. However... we have a bunch of Solaris and Linux servers at work that we're not migrating to Wintel anytime soon. We're also a bit suspicious of including Wintel boxes in "sensitive" processes. So if I one product supported enrollment on Solaris or SE/Linux, that would be a pretty strong differentiator.


• multi-user support What would be really, really cool is if the device would support multiple users. It would be great if I could assign access rights on a file or directory level.


• 1st or 3rd person key recovery We all know there are no locksmiths in the digital world. From a corporate perspective, I would love to use these types of products, but I've got to say I'm a bit freaked out by the fact that my CFO could put sensitive info on the thing, then get run over by a bus and I would have no ability to get the latest financial info off the thing. For personal use I'm a bit spooked by 3rd party key recovery, so having a 1st person key recovery mode would be a big win for me. I could enroll myself as the primary user, then enroll my wife, barber, friends in a M-of-N key splitting scheme so that if I ever did get smacked by a bus it's conceivable the info could be recovered.


• biometric api support This is a tough one... from a business perspective this can be bad; but it can be good. If you look at Cryptoki, Microsoft CAPI/CSP and PC/SC, cross-platform APIs can drive the commoditization of your product, but it's a necessary step before you get to mass adoption. At some point the benefits of mass adoption will exceed the drawbacks of commoditization. When this happens, it's time to take a serious look at platform-independent, open APIs.

Tags: usb, biometrics, blackdog

posted by Matthew S. Hamrick @ 2:15 PM