Secure USB sticks crackedMarch 14, 2008 – 3:23 PM
Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy parties to get around the protection in some products.
Many secure USB sticks consist of three components: flash memory for data, a fingerprint sensor and a microcontroller that processes USB traffic, communicates with the flash memory, and controls the sensor. The flash memory itself is divided up into several logical partitions. The controller provides access to a public partition when connected to a PC. The pre-installed software on this partition then runs to perform fingerprint detection and authentication. If the fingerprint is valid, the microcontroller then provides access to the protected partition as a mapped drive on the PC.
That’s the theory. In practice, USB sticks with the USBest UT176 and UT169 controllers from Taiwan’s Afa Technology provide access to the protected partition without any authentication. All you need to do is use the PLscsi tool to send a single USB command – Command Descriptor Block – to the stick for access to the public partition to be replaced by access to the protected one. At first, this flaw seemed to be an undocumented back door, but some sniffing with a USB monitor tool revealed it to be a major design flaw: the controller on the stick does not decide whether to provide access to the partition; the software running on Windows does. The software on the PC uses another command to decide whether read-only write access is possible. Based on the manufacturer’s descriptions, you’d expect the biometrics and access control to take place entirely within the stick’s microcontroller, an 8032 derivative.