May 24
Fake security – Laptop fingerprint scanner
I have a Lenovo Thinkpad T61 as my work laptop – You know, one of those laptops with the fancy fingerprint scanner in the bottom right corner. Now without getting into a big discussion about the dangers of biometric security systems, I’m going to tell you why I think these kind of devices are completely ridiculous and benefit with absolutely no extra security what so ever.
Let’s first consider the premises for using a biometric fingerprint scanner! The premises for using a fingerprint scanner, instead of e.g. a password, is that a password can be guessed while a fingerprint is something unique to a user – something the user is the sole possessor of and always carries with him. So while that sounds more secure (since you don’t have to worry about e.g. password strength), in reality it really isn’t. Let’s say we had a hacker Charlie and Charlie here wanted to gain access to a building only Alice had access to – a building using biometric authentication in the form of a fingerprint scanner. How would Charlie accomplish this? Well, it actually turns out he has quite a few options:
- He can force Alice to let him in (read “big fucking gun”)
- He can jump Alice and chop off her finger (thereby giving him the “key” he needs)
- He can break the fragile window next to the top-security, 20 inch steel door (as in: don’t make your damn security systems more solid then what surrounds them.. before long you’ll have burglars blowing up your walls to get in.)
- He can break into the fingerprint scanner and steal the stored fingerprint (fingerprints aren’t stored as images, as some may believe.. Fingerprints are stored as a seemingly random sequences of characters uniquely identifying the fingerprint. It’s much like a hashing function like md5() og sha())
- He can swipe Alice’s fingerprint of some glass or whatever he can find, and then use the same technique as Chaos Computer Club did when they stole a German officials fingerprint, to then reproduce the fingerprint and use it as if he was Alice.
All in all there are tons of ways to break a biometric system. However one of the more disturbing issues isn’t that it’s easy to break. It’s the fact that when it’s been broken – the users are screwed! If you get your fingerprint stolen, you can never use a fingerprint scanner securely again.. simply because the premises isn’t there anymore – you are no longer the sole possessor of the fingerprint. So there are many very real concerns with the use of biometric systems and I can tell you right now – I usually avoid all of these systems!
So back to the subject here: Why the fingerprint scanners on laptops from IBM, Lenovo, HP etc. are completely useless when it comes to security! So really the issue is quite simple. The premises for using biometrics is that the user is the sole possessor and therefore the only one who can log in. Now consider this scenario: Your walking down the street, your laptop in hand, and then suddenly out of the blue a skinny guy runs past you, grabs your laptop and runs like the wind! You, exhausted by the last burger you just ate, try to run after the perpetrator but fail when you start to loose your breath (after 10 meters).. but then – aahhh – a sigh of relief when you remember you had a 35 digit password, encrypted harddrive and a biometric fingerprint scanner! No worries right? … — … — … — … — … — WRONG! The perpetrator gets home and takes a look at your laptop. He noticed your “Linux rocks – I secure my toilet brush” t-shirt while running past you and concludes your harddrive is probably encrypted and your password is probably psycho – but then.. aaahhhh – a sigh of relief when he notices you’ve activated your fingerprint scanner! He then takes a piece of tape, picks a random spot on your laptop, swaps your fingerprint right of, uses CCC’s method to copy your fingerprint and uses it to log in and steal all your data – despite the whole encryption, psycho password stuff.
It’s actually really simple: The fucking key is on the machine you’re trying to break into!!
Imagine an office building having break-in keys hanging from the fucking front door – just for burglar convenience!
All in all it comes down to this: The laptop fingerprint scanners are there because it’s hype! Like Apple, Facebook and a bunch of other stuff, fingerprint scanners for the common man is hype these years – it sells! But while companies are telling people to use these devices, they’re actually misleading the public and giving them a false sense of security – thereby actually weakening security very extensively.
So why am I writing this? Well pretty simple actually – Disable your fucking fingerprint scanner!
August 10th, 2009 at 1:15 am
Don’t you think you’ve allowed your imagination to run amock here? Admittedly, biometrics for a high security building wouldn’t be enough (on their own), and they’d need to use Iris recognition etc to make that more secure, but this is laptop security we’re talking about. If somebody wanted access to my laptop so badly that they were prepared to hold a gun to my head, kill me, and chop off my finger, then the last thing I’d care about is my online bank details. For me, as a consumer and a method of easily and quickly logging onto a computer, knowing that nobody else can access my profile without my fingerprint, it’s perfect. I don’t need to type a username, or have another password to remember, I can just swipe. For secretive data, then quite simply it shouldn’t be and isn’t usually stored on a laptop – it should be and usually is stored on desktop PCs in a secure building with 24 hour security if it’s so important that somebody would kill for it.
I understand your point, but really…? Stop ranting for the sake of it.
August 11th, 2009 at 8:48 am
Well – you said it yourself don’t build the security door stronger than it’s surroundings…
It all depends on what you are protecting. If your laptop contains the launching codes of the US nuclear missiles, there would be someone that would go through the trouble of cloning you fingerprint or even chop your finger to gain access. But normal users like myself, which I would like to keep peeping tom out of my personal corresponding, but I do not wish to re type my 8 letters password every time the screen saver flies on – fingerprint scanner is just a great way.
August 13th, 2009 at 10:29 am
Well it’s not so much the whole “chopping” technique for gaining access I’m worried about
It’s more that whenever you use a laptop, you’re placing an abundance of prints all over the place. Since your fingerprint is essentially the equivalent of your password, we can compare it to this in regards to security. A fingerprint can not be changed! At all! So if it’s stolen, you’re basically fucked! Passwords on the other hand, can be changed if stolen. Also, a fingerprint can easily be lifted off of a laptop, so in regards to security, it’s essentially the same as placing a post-it with your password on the screen!
Obviously I do see the benefits of being able to log in fast and being able to get rid of a screensaver fast – however there are much better solutions that provide this. One is radio-transmitter keys of varying sorts, so that you hold this small device as part of your normal everyday keychain. You can then lock your laptop and go to lunch. When you get back, you simply go over towards your laptop, and when you’re within a few feet of the laptop, it’ll simply unlock itself because it creates a connection to your key and uses it for authentication. This gives waay better security than fingerprints. Especially because it’s possible to change the key if stolen! There’s a general rule of thumb in information security: “For each secret parameter in your system, the longer you hold it constant, the higher likelihood your system will be compromised.” Biometrics in general breaks this rule of thumb, making it inherently flawed.
December 6th, 2009 at 1:18 am
One issue with your claim is that not all readers use reflective images. Biometric readers also use ultrasonic transmissions and read them back based on the density of your skin. The frequency is actually designed for skins reception and transmission. This being said, simply creating a gelled fingerprint that you stick on your own finger and swipe would not work because the ultrasound would read right through it. and still read your own print.