Microsoft's Fingerprint Reader Hacked

Microsoft's Fingerprint Reader, a low-cost biometric device aimed at consumers, doesn't encrypt the fingerprint image, leaving it open to hacking, a security researcher claimed.

Finnish researcher Mikko Kiviharju, who presented his findings last week at Amsterdam's Black Hat Europe conference, laid out a scheme using "sniffers," hardware or software tools that intercept encrypted data, to fool the Fingerprint Reader.

Unlike more expensive biometric gear, Microsoft's reader is labeled only as a tool of "convenience." In fact, the Redmond, Wash.-based company spells it out in the opening of the product's Getting Started guide.

"The fingerprint reader is not a security feature and is intended to be used for convenience only. It should not be used to access corporate networks or to protect sensitive data, such as financial information," the guide reads.

Kiviharju, however, noted that the lack of encryption makes it possible to spoof a fingerprint, which would give an attacker access to a Windows account as well as password-protected Web sites. A phony fingertip isn't necessary, since the unencrypted data can be captured, then "replayed" to the computer, fooling it into thinking a real finger was pressed on the reader."With no crypto, one will not even need a gelatin finger," he said in his presentation notes.

Microsoft licenses the underlying technology for its reader from Redwood City, Calif.-based Digital Persona; that company's U.are.U 4000 reader does encrypt image data.

But sans encryption, Kiviharju said, Microsoft's implementation of Digital Persona's technology exposes some of the latter's security methods to hackers.

"MSFR unencryption reveals some anti-forgery strategies used by Digital Persona elsewhere," said Kiviharju in an accompanying white paper. Among them: Digital Persona's use of a checksum.

Vance Bjorn, Digital Persona's chief technology officer, denied that anysensitive information about the technology had been disclosed to potentialattackers by Microsoft's lack of encryption."What he's [Kiviharju] saying may or may not be correct," Bjorn said. "Iwon't confirm it."

Later in the conversation, however, Bjorn dismissed Kiviharju tactics as"just probing" and said that the checksum Kiviharju mentioned is "more thanjust a handshake.

"What he's doing isn't going to change the fact that the reader isn'treleasing any information," Bjorn said.