A Sceptical Mind

I have a Lenovo Thinkpad T61 as my work laptop – You know, one of those laptops with the fancy fingerprint scanner in the bottom right corner. Now without getting into a big discussion about the dangers of biometric security systems, I’m going to tell you why I think these kind of devices are completely ridiculous and benefit with absolutely no extra security what so ever.

Let’s first consider the premises for using a biometric fingerprint scanner! The premises for using a fingerprint scanner, instead of e.g. a password, is that a password can be guessed while a fingerprint is something unique to a user – something the user is the sole possessor of and always carries with him. So while that sounds more secure (since you don’t have to worry about e.g. password strength), in reality it really isn’t. Let’s say we had a hacker Charlie and Charlie here wanted to gain access to a building only Alice had access to – a building using biometric authentication in the form of a fingerprint scanner. How would Charlie accomplish this? Well, it actually turns out he has quite a few options:

• He can force Alice to let him in (read “big fucking gun”)
• He can jump Alice and chop off her finger (thereby giving him the “key” he needs)
• He can break the fragile window next to the top-security, 20 inch steel door (as in: don’t make your damn security systems more solid then what surrounds them.. before long you’ll have burglars blowing up your walls to get in.)
• He can break into the fingerprint scanner and steal the stored fingerprint (fingerprints aren’t stored as images, as some may believe.. Fingerprints are stored as a seemingly random sequences of characters uniquely identifying the fingerprint. It’s much like a hashing function like md5() og sha())
• He can swipe Alice’s fingerprint of some glass or whatever he can find, and then use the same technique as Chaos Computer Club did when they stole a German officials fingerprint, to then reproduce the fingerprint and use it as if he was Alice.

All in all there are tons of ways to break a biometric system. However one of the more disturbing issues isn’t that it’s easy to break. It’s the fact that when it’s been broken – the users are screwed! If you get your fingerprint stolen, you can never use a fingerprint scanner securely again.. simply because the premises isn’t there anymore – you are no longer the sole possessor of the fingerprint. So there are many very real concerns with the use of biometric systems and I can tell you right now – I usually avoid all of these systems!

So back to the subject here: Why the fingerprint scanners on laptops from IBM, Lenovo, HP etc. are completely useless when it comes to security! So really the issue is quite simple. The premises for using biometrics is that the user is the sole possessor and therefore the only one who can log in. Now consider this scenario: Your walking down the street, your laptop in hand, and then suddenly out of the blue a skinny guy runs past you, grabs your laptop and runs like the wind! You, exhausted by the last burger you just ate, try to run after the perpetrator but fail when you start to loose your breath (after 10 meters).. but then – aahhh – a sigh of relief when you remember you had a 35 digit password, encrypted harddrive and a biometric fingerprint scanner! No worries right? … — … — … — … — … — WRONG! The perpetrator gets home and takes a look at your laptop. He noticed your “Linux rocks – I secure my toilet brush” t-shirt while running past you and concludes your harddrive is probably encrypted and your password is probably psycho – but then.. aaahhhh – a sigh of relief when he notices you’ve activated your fingerprint scanner! He then takes a piece of tape, picks a random spot on your laptop, swaps your fingerprint right of, uses CCC’s method to copy your fingerprint and uses it to log in and steal all your data – despite the whole encryption, psycho password stuff.

It’s actually really simple: The fucking key is on the machine you’re trying to break into!!

Imagine an office building having break-in keys hanging from the fucking front door – just for burglar convenience!

All in all it comes down to this: The laptop fingerprint scanners are there because it’s hype! Like Apple, Facebook and a bunch of other stuff, fingerprint scanners for the common man is hype these years – it sells! But while companies are telling people to use these devices, they’re actually misleading the public and giving them a false sense of security – thereby actually weakening security very extensively.

So why am I writing this? Well pretty simple actually – Disable your fucking fingerprint scanner!