Never mind worrying about hackers stealing your password. A security researcher with the Finnish military has shown how they could steal your fingerprint, by taking advantage of an omission in Microsoft Corp.’s Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004.
Although the Fingerprint Reader can prevent unauthorized people from logging on to your PC, Microsoft has not promoted it as a security device, but rather as convenient tool for home users who want a fast way to log on to Web sites without having to remember user names and passwords. In fact, the Microsoft.com Web site warns that the Fingerprint Reader should not be used to protect sensitive data.
Hoping to understand why Microsoft had included the caveat about sensitive data, a researcher with the Finnish military, Mikko Kiviharju, took a close look at the product.
In a paper presented at the Black Hat Europe conference last week, he reported that because the fingerprint image taken by the scanner is not encrypted, it could be stolen by hackers and used to inappropriately log in to a computer. Kiviharju’s report can be found at this Web site.
Because the fingerprint image is transferred unencrypted from the Fingerprint Reader to the PC, it could be stolen using a variety of hardware and software technologies, called “sniffers,” that monitor such traffic, said Kiviharju, a researcher with the Finnish Defense Forces. “The fingerprint that can be sniffed is pretty good quality,” he said.
The fingerprint image could either be used to break into a PC or simply be stolen by attackers, a violation of the user’s privacy.
Once the fingerprint image had been sniffed, it could be used by attackers to make it appear as if the victim were authenticating onto a PC or a Web site using the Fingerprint Reader, Kiviharju said. But this type of attack, which is called a “replay attack” because the fingerprint scan is simply replayed back to the computer, is complex. It also requires that the attacker physically connect a second PC to the computer that is being attacked.
Although neither of these attacks is easy to pull off, they are both greatly simplified by the fact that Microsoft has chosen not to encrypt the fingerprint image, Kiviharju said.
In fact, this is probably the most interesting question raised by the research, because it appears that Microsoft could enable encryption by making some minor changes to the product’s firmware, Kiviharju said. “That has baffled some of the experts that have contacted me as well, ” he said “It’s quite a decent product, but somehow Microsoft has managed to botch it.”
Microsoft licenses the technology behind its Fingerprint Reader from a Redwood City, California, company called Digital Persona Inc. Digital Persona manufactures a similar device, called the U.are.U 4000, which does encrypt the fingerprint images.
Microsoft executives were not available for comment on this story, and a spokeswoman for the company’s public relations agency could not say why encryption was not enabled on the Fingerprint Reader.
Although Digital Persona would not comment on why Microsoft may have turned off the product’s encryption capabilities, one company official said that this decision is not likely to affect the security of its users.
“The fact that they turned the encryption off, I would argue, does not in a practical sense open up any security holes,” said Chief Technology Officer Vance Bjorn. “Even with the encryption off, you’re going to have to basically have physical access to the person’s machine to crack into it.”
One security analyst speculated that the encryption settings may have simply been part of Microsoft’s licensing agreement with Digital Persona.
By creating a version of the product that is not focused on security, Microsoft and Digital Persona may be ensuring that the two companies’ products don’t compete with each other, said Russ Cooper, senior information security analyst at Cybertrust Inc.
No matter what Microsoft’s reasoning may be, fingerprint theft is not a major privacy concern, Cooper said. “I’m more concerned with cameras in change rooms than I am with losing my fingerprint,” he said. “People have already given up tons and tons of privacy… read your credit card agreement. Look what you agreed to.”