Security analysis of a fingerprint-protected USB drive

  • Authors:

  • Benjamin Rodes;Xunhua Wang

  • Affiliations:

  • James Madison University, Harrisonburg, VA;James Madison University, Harrisonburg, VA

  • Venue:
  • Proceedings of the 26th Annual Computer Security Applications Conference
  • Year:
  • 2010

Quantified Score

Hi-index 0.00

Visualization

Abstract

Fingerprint-protected Universal Serial Bus (USB) drives have seen increasing deployment recently to protect mobile data. Compared to regular USB drives, a fingerprint-protected USB drive has an integrated optical scanner and a private partition/drive (for example, drive G: on MS Windows), which is not accessible before a successful fingerprint authentication. This paper studies the security of a representative fingerprint-protected USB drive called AliceFDrive. Our results are twofold. First, through black-box reverse engineering and manipulation of binary code in a DLL, we bypassed AliceF-Drive's fingerprint authentication and accessed the private drive without actually presenting a valid fingerprint. This authentication bypass is a class attack in that the modified DLL can be distributed to any naive users to bypass AliceF-Drive's fingerprint authentication. Second, in our security analysis of AliceFDrive, we developed a program to automatically recover fingerprint reference templates from AliceFDrive, which may make AliceF-Drive worse than a regular USB drive: when Alice loses her fingerprint-protected USB drive, she does not only lose her data, she also loses her good-quality fingerprints, which are hard to recover as Alice's fingerprints do not change much over a long period of time.