SAN FRANCISCO -- Never mind worrying about hackers stealing your password. A security researcher with the Finnish military has shown how people could steal your fingerprint, by taking advantage of an omission in Microsoft's Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004.
Though the Fingerprint Reader can prevent unauthorized people from logging on to your PC, Microsoft has promoted it not as a security device, but rather as convenient tool for home users who want a fast way to log on to Web sites without having to remember user names and passwords. In fact, the Microsoft.com Web site warns that the Fingerprint Reader should not be used to protect sensitive data.
Hoping to understand why Microsoft had included the caveat about sensitive data, a researcher with the Finnish military, Mikko Kiviharju, took a close look at the product. In a paper presented at a recent Black Hat Europe conference, he reported that because the fingerprint image taken by the scanner is not encrypted, it could be stolen by hackers and used to inappropriately log in to a computer. Kiviharju's report can be found here.
Because the fingerprint image is transferred unencrypted from the Fingerprint Reader to the PC, it could be stolen using a variety of hardware and software technologies, called "sniffers," that monitor such traffic, said Kiviharju, a researcher with the Finnish Defense Forces. "The fingerprint that can be sniffed is pretty good quality," he said.
The fingerprint image could either be used to break into a PC or simply be stolen by attackers, a violation of the user's privacy.
Once the fingerprint image was sniffed, it could be used by attackers to make it appear as if the victim were authenticating onto a PC or a Web site using the Fingerprint Reader, Kiviharju said. But this type of attack, which is called a "replay attack" because the fingerprint scan is simply played back to the computer, is complex. In addition, it requires that the attacker physically connect a second PC to the computer that is being attacked.
Though neither of these attacks is easy to pull off, doing so is greatly simplified by the fact that Microsoft has chosen not to encrypt the fingerprint image, Kiviharju said.
Microsoft licenses the technology behind its Fingerprint Reader from a Redwood City, California, company called Digital Persona. Digital Persona manufactures a similar device, called the U.are.U 4000, which does encrypt the fingerprint images.
Microsoft executives were unavailable for comment on this story, and a spokesperson for the company's public relations agency could not say why encryption was not enabled on the Fingerprint Reader.
Digital Persona would not comment on why Microsoft may have turned off the product's encryption capabilities, but one company official said that this decision is unlikely to affect the security of its users.
"The fact that they turned the encryption off, I would argue, does not in a practical sense open up any security holes," says Chief Technology Officer Vance Bjorn. "Even with the encryption off, you're going to have to basically have physical access to the person's machine to crack into it."