Researcher hacks Microsoft fingerprint reader

Apparently the connection between the fingerprint reader and the computer isn’t properly encrypted, so it’s possible to connect to it and read the fingerprint data. Or to send fingerprint data that was recorded earlier.

It’s not really much of a news item, though, because the device isn’t intended for security purposes, and Microsoft doesn’t sell it for security uses. The research was to find why they don’t, because fingerprint readers are pretty much smack down in the category of security and authentication gear. That’s their classic, and most obvious, use (Despite the many problems with biometric, which now is not the time to go into). So the fact that the research found a problem shouldn’t surprise anyone too much.

Even if some customers assumed that it can be used for security despite the manufacturer’s recommendations.

The point I found interesting is this response by the CTO of Digital Persona, the company from which Microsoft licensed the technology for the device:

Digital Persona would not comment on why Microsoft may have turned off the product’s encryption capabilities, but one company official said that this decision is unlikely to affect the security of its users.

“The fact that they turned the encryption off, I would argue, does not in a practical sense open up any security holes,” says Chief Technology Officer Vance Bjorn. “Even with the encryption off, you’re going to have to basically have physical access to the person’s machine to crack into it.”

He claim that it’s not a problem, because it would require physical access to the computer. This is, while accurate, totally silly and besides the point.

Fingerprint readers are intended to be used against people with physical access to the computer the scanner is attached to. That’s the only case in which they work. A legitimate user with no physical access will not be able to have their fingerprint scanned. Physical access is required by design.

So saying security holes are not opened just because it would require physical access, is actually saying that the device is meaningless from a security standpoint. You need physical access to hack into the machine around the fingerprint scanner. But you also need physical access to use the machine by using the fingerprint scanner. Ergo the fingerprint scanner is meaningless.

Which is basically what Microsoft implied to begin with, but entirely not the point the CTO was trying to make here.

Leave a Reply

You must be logged in to post a comment.