Friday, February 15, 2008

Microsoft Fingerprint Reader - The Fine Print

If you haven't noticed, somehow lately computer keyboards and laptops in the Windows PC world are sporting a little pad for reading fingerprints.

Notice the fine print at the bottom of this page, which I'll quote here in case it goes away:

Microsoft Fingerprint Reader
"The Fingerprint Reader should not be used for protecting sensitive data such as financial information, or for accessing corporate networks. We continue to recommend that you use a strong password for these types of activities."

Why do you suppose Microsoft and all those hardware makers would go to all the trouble to add a fingerprint reader to laptops and keyboards, and then advise you not to use it?

Probably because they know something that the average consumer probably doesn't: these devices can be spoofed.

It's only a matter of time before there are clear, step by step instructions available on the internet for lifting a fingerprint and applying it to a model finger for spoofing purposes. Heck, there might be some online now, and I just haven't seen it yet.

Biometric Devices and Fingerprint Spoofing

Faking fingerprint readers (or other biometric devices) - a collection of links and papers

Failure of fingerprint locking system in prison in 2005

If you think about these things for a minute, you would never touch one without wearing a glove. Where is the digital fingerprint stored? That's right, on the same rootkit infested Windows PC prone to worm and virus attack.

Will rootkits soon be intercepting the fingerprint data and adding that to your stolen profile information in that giant hacker database in the sky? You can bet they will, because you can be assured that not everybody read the fine print. These devices are so common on laptops now that there are undoubtedly some juicy bank accounts "protected" by the Microsoft Fingerprint Reader.

The bad guys will have your biometric data in a database long before the FBI gets it done, because the bad guys do all this stuff with the lowest possible overhead. They just add another routine to their worm / virus / trojan / rootkit package and it flows out to all the zombie pc systems on the net that day. Since their data flows are mostly encrypted now-a-days, it might already be happening and we just haven't proven it yet.

Friends don't let friends use fingerprint readers. At least not today, when they are so clearly pandering a false, and perhaps even criminally negligent, sense of security. The people selling these things ought to know better. Oh, that's right. They do know better. Hence the fine print.

NOTE:  Thanks to my good friend Joe S. in Tucson, Arizona for asking me, "would you touch one of these without a glove?"


Peter said...

The only people I've ever seen use these are tinkerers who are excited by the novelty. Usually they figure out how to get the PAM plugins in Linux to log them in. After a few short hours they get bored and turn it off.

Dan Kamionkowski said...

Wow, that is scary. It's pretty shady (and yet not surprising) that Microsoft would even be selling this product knowing as they do that it is not an effective security device.

Anonymous said...

the device is very good and makes PC use faster and easier, NOT safer...anyway, if you let me access you PC - with or without the fingerprint reader :)) - I ca n get the stored passwords in no more than 2 hours; so I'd rather use the device because is way easier than remembering/typing numerous passwords all day long (I work in IT and I am not scared about my friends hacking my yahoo mail :)) ).
Wherever you really need security is very simple: you DO not use this device, which however is great (for its purpose).