Microsoft's Fingerprint Reader Hacked
March 07, 2006
Microsoft's Fingerprint Reader, a low-cost biometric device aimed at consumers, doesn't encrypt the fingerprint image, leaving it open to hacking, a security researcher claimed.
Finnish researcher Mikko Kiviharju, who presented his findings last week at Amsterdam's Black Hat Europe conference, laid out a scheme using "sniffers," hardware or software tools that intercept encrypted data, to fool the Fingerprint Reader.
Unlike more expensive biometric gear, Microsoft's reader is labeled only as a tool of "convenience." In fact, the Redmond, Wash.-based company spells it out in the opening of the product's Getting Started guide.
"The fingerprint reader is not a security feature and is intended to be used for convenience only. It should not be used to access corporate networks or to protect sensitive data, such as financial information," the guide reads.
Kiviharju, however, noted that the lack of encryption makes it possible to spoof a fingerprint, which would give an attacker access to a Windows account as well as password-protected Web sites. A phony fingertip isn't necessary, since the unencrypted data can be captured, then "replayed" to the computer, fooling it into thinking a real finger was pressed on the reader.