Microsoft Fingerprint Reader gives up your prints
If you've
got a Microsoft
Fingerprint Reader hooked up to your PC and thought you had the latest and greatest in biometric security, you're
out of luck. A Finnish researcher has discovered that the reader -- which Microsoft has said shouldn't be used to
protect sensitive data (meaning, we assume, you should just use it to check out those wild whorls) -- sends fingerprint
info to the PC unencrypted, which could enable anyone with the right tools to snag your fingerprint image, and use it to
log into your PC. Strangely, Microsoft licenses the technology from another company, Digital Persona, which does
encrypt fingerprint data. For some reason, however, Microsoft chose to disable encryption in its product, making
it less secure than the passwords it purports to replace.
Filed under: Peripherals
Reader Comments (Page 1 of 1)
Ken @ Mar 7th 2006 11:02AM
I'd love to hear the follow-up on their reasoning for this. Maybe Microsoft doesn't want to get sued if someone gets their fingers chopped off for authentication. They can always claim, "We left a back door open so this didn't have to happen."
gnome @ Mar 7th 2006 11:03AM
"making it less secure than the passwords it purports to replace."
Last time I checked, my keyboard sends my password in plain text as well, and it's probably easier to install a keylogger than something to capture and replay my fingerprint.
aeo @ Mar 7th 2006 11:09AM
This could possibly be cool to install in a car or house for keyless entry.
Josh Barrett @ Mar 7th 2006 11:17AM
Sounds like a pretty low risk issue. Anto Microsoft bias maybe?
portorikan @ Mar 7th 2006 11:20AM
For some reason, this lack of security doesn't surprise me. :)
Per-Erik @ Mar 7th 2006 11:24AM
I read the PDF earlier this week. Seems that by changing only ONE bit in the firmware, you get encryption. But, M$ drivers doesn't support this. Only Linux drivers
Alex @ Mar 7th 2006 11:26AM
Hmm, me and my colleagues were trying to contact Microsoft in order to get an SDK that will allow us to use this reader with our software, they refused to cooperate...
Well, I'm glad they did :-)
OxyMormoN @ Mar 7th 2006 11:36AM
Someone with the right tools eh...
MIcrosoft has the right tools
They pretty much went out of their way to unsecure this device - they turned off the encryption that comes with the device...
Remember, its not paranoia if they ARE out to get you
Patrick @ Mar 7th 2006 11:57AM
When you install the reader, Microsoft makes you agree to two seperate EULAs that this is a toy and not a real security device. No news here. This is for regular people that don't want to remember passwords.
James Rice @ Mar 7th 2006 11:58AM
I've almost bought this thing a couple times, but have resisted every time. :)
WhyNotV2 @ Mar 7th 2006 11:58AM
I bought one of these and returned it the next day after finding it only works with IE/webpages. Other programs with passwords and logins aren't compatible which kind of sucks especially given the price for the reader. Setup to use it was pretty easy and it had a really nice tutorial/walk-through, but again, limited use so definately not for everyone.
David Tai @ Mar 7th 2006 12:00PM
gnome has it absolutely right: the keyboard sends unencrypted text as well. perhaps it costs more and doesn't make commercial sense (i.e. costs more :p) to encrypt - who knows? unless someone can get the proper software, deliver it to your computer, then get the data out again, it's really a non-issue.
no more than we should not use keyboards to type passwords....
Julian @ Mar 7th 2006 12:13PM
David Tai is right. Why don't people actually read the full article, and find out what's involved in getting the fingerprints. You need physical access to the machine to install a USB logger. But if you have that, you can just grab whatever data is there on the computer; the machine is compromised already, nothing will change it; whether they used the scanner, or some other tool short of a full hard-disk encryption, everything is accessible.
Julian @ Mar 7th 2006 12:14PM
David Tai is right. Why don't people actually read the full article, and find out what's involved in getting the fingerprints. You need physical access to the machine to install a USB logger. But if you have that, you can just grab whatever data is there on the computer; the machine is compromised already, nothing will change it; whether they used the scanner, or some other tool short of a full hard-disk encryption, everything is accessible. All this anti-microsoft BS is pointless, as it shows your ignorance of the facts.
Dylan Greene @ Mar 7th 2006 12:21PM
This is FUD.
"anyone with the right tools" still needs physical access to the machine, in which case it's it's much easier to snag passwords by using the "right tools" to record every keystroke from the keyboard.
Nath5000 @ Mar 7th 2006 12:23PM
I guess it seems more scary knowing that someone out there can "steal" my fingerprint and presumably go all james bond and in the future unlock anything that I use fingerprint protection for whether it by my computer, or a lock to a door.
In all reality, even if that was possible, someone could easily get your fingerprint the old fashion way that police and detectives have been using forever right? I guess the big thing is whether fingerprint encryption is even that secure in the firstplace if someone can get your print just from something youve touched. I really know nothing, this is just specuation. It makes sense that this isnt for super security and is just for people who dont want to enter passwords but in all reality, if microsoft doesnt encrypt someones fingerprint and other companies do, why do the companies who encrypt it even bother? If I worked at a bank and used encrypted fingerprint stuff for something and I used unincrypted microsoft readers to log in at home couldnt someone steal my print at home and use it whereever they wanted assuming that what happens with fingerprints in james bond movies is actually possible?
mikestew @ Mar 7th 2006 12:36PM
>
The fact that the GINA won't install on a machine which is a member of a domain ought to put aside any thoughts about this thing being the latest in security. As others have pointed out, this is a non-issue for a variety of issues, foremost being that even Microsoft doesn't advertise this as a security tool.
Dylan Greene @ Mar 7th 2006 12:47PM
This requires PHYSICAL ACCESS to the machine - which means the perpetrator could just take a fingerprint from anything the user has touched. Why bother with the computer?
I guess Finland doesn't get CSI.
Ipod movies @ Mar 7th 2006 1:02PM
This is just typical of Microsoft.
mykie @ Mar 7th 2006 1:25PM
Okay, someone steals your passwords, that's all fine and dandy, because you can just change your password to something else.
Someone steals your fingerprint, well...you've only got 9 more chances FOR THE REST OF YOUR LIFE to remedy that situation...
Vit Ali Raja @ Mar 7th 2006 1:30PM
Somebody with the right TOOLS can chop off your finger and use it to login to the computer :)
glacia00 @ Mar 7th 2006 1:31PM
Actually there are very few non-integrated biometric solutions that are any more secure than this. By non-integrated I mean 'not built directly into a system where the computer interface is inaccessable.'
And while I say this in every biometric discussion I'll say it again. Once your biometric signiture is comprimised, what do you do? You can change a password but you can't change a fingerprint. Biometrics is not the security grail.
vidGuy @ Mar 7th 2006 1:32PM
Meh. Anyone that thinks this is secure shouldn't be trusted with anything that needs protection. It's cool for home use, and the ones on the laptops are handy, but corporations should know that to be really secure, you need a good combination of the three methods for authentication: something you know, something you have, something you are. Now, if you needed a key to get to the room the computer was in, you scanned your finger/thumb, AND entered a PIN, it may be somewhat secure ;)
And for the real conspiracy theorists: think how many people have Windows Update set up to automatically download AND INSTALL updates. Talk about a backdoor!
Willdo @ Mar 7th 2006 2:04PM
I think people are whipping a dead horse here. This device is designed for the same people that do their banking on wireless networks at hotels and coffee shops. Let them bath at the banks of denial. It's what they do.
Aj @ Mar 7th 2006 2:09PM
#22 :Somebody with the right TOOLS can chop off your finger and use it to login to the computer :)
the best comment in the line. to get pysical acess to the computer is quite tough and secondly to get it for long times i would presume to hack the fingerprint harder. so i would still think it is pretty secure. i mean as vid guy says with a pin and a scanner it would be quite safe
markm @ Mar 7th 2006 2:11PM
Look at the device itself. The biggest problem with the reader is that you can simply lift fingerprints off of the devices surface.
Any fingerprint reader where you place your finger on the device is notorious for this. To get any sort of real security you need to use a system like Lenovo/IBM uses in their ThinkPads where you slide your finger over the device - smudging any prints you might leave in the action of scanning your print.
Dan @ Mar 7th 2006 2:11PM
I have one of these at work, and they still dont work with a lot of apps and Firefox. Screw em.
C @ Mar 7th 2006 2:47PM
++In Microsoft's defense - they clearly state that this NOT a substitute for security, but just a convenience.
But the research is hysterical really!
So the person trying to steal my fingerprint would need to already get into my machine to be able to log it. Hmm SECURITY IS PRIOR - I wouldnt want them to get into it in the 1st place right? LOL It all comes down to network security - Everytime. Just try and get past my DMZ! Once your there, I guess you can have anything you want. LOL
I think I saw comments from others mentioning this...
WOW GROUND BREAKING!
asd @ Mar 7th 2006 3:22PM
How many keyboards send encrypted characters to the PC?
_TAD_ @ Mar 7th 2006 4:13PM
Let's be realistic for just a moment. As an IT guy in the real world I *KNOW* if I walk around my company long enough I can find dozens of passwords. The average user can't keep all of their passwords straight so they write them down and hide them under their mouse pad or keyboard. An unsecured fingerprint device like this is a lot like locks on a car door. It keeps the honest people honest. If someone really wants in, they'll find a way.
ashram @ Mar 7th 2006 5:53PM
i thought this was common knowledge.... as digital persona told me this directly a year and a half ago....
it a combo of the firmware and software microsoft uses, as the reader itself is almost identical (different color)
Deluxe @ Mar 7th 2006 7:04PM
You loser nerds watch too many movies. Get out and see the real world.
glacia00 @ Mar 8th 2006 10:48AM
BTW, just to correct something mentioned earlier, you actually don't need access to the OS to install a keystroke logger. There are various very small hardware loggers out there that simply plug into the back of the computer and the keyboard plugs into it. Takes 10 seconds to install. Unless you looked for it you probably wouldn't notice one. Come back later unplug it, another 10 seconds, and you have someopne's password. Usually the first thing someone types in.
Court @ Mar 10th 2006 5:32PM
Wasn't there an article about using a gummi bear to bypass fingerprint readers?
DeadCow @ Mar 11th 2006 4:07PM
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/
Gummi Bears Defeat Fingerprint Sensors
"Noted cryptographer Bruce Schneier, the founder and CTO of Counterpane Internet Security, described Matsumoto's work as more than impressive.
"The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing," said Schneier in yesterday's edition of his Crypto-Gram newsletter, which first publicised the issue. "
JJWigg @ Mar 20th 2006 6:28PM
When I set up the fingerprint reader won't all my passwords reside in a file in my computer. What's the risk of someone getting access to this file?
JACK @ Apr 15th 2006 2:50PM
THE MICROSOFT FINGERPRINT READER IS NEXT TO USELESS. IT WILL ONLY ALLOW USE OF "INTERNET EXPLORER" TO SET A SITE LOG IN. "FIREFOX" WHICH IS MY BROWSER IS NOT ACCEPTABLE TO THE SOFTWARE.
LINN @ Aug 13th 2006 11:10AM
Hi everyone! i´d really appreciate if Per-Erik tells me what PDF is the one that says about changing the bit in the firmware in order to get encryptation of the images. thanks.
Ata @ Feb 5th 2007 4:24PM
Well this can be said as introduction to a new technology, when the time passes it would be refined and made more secure. We should not lose our hopes and should see the glass half full.
John @ Jun 19th 2007 6:14PM
Jack, MS fingerprint can be used with Firefox, check FingerAuth at http://www.fingerauth.com