Easy to crack
Access to protected data areas without the right fingerprint
Manufacturers of USB sticks and cards with fingerprint readers promise us that their data safes can only be opened with the right fingerprint. It turns out that an easy-to-find tool allows nosy parties to get around the protection in some products.
Many secure USB sticks consist of three components: flash memory for data, a fingerprint sensor and a microcontroller that processes USB traffic, communicates with the flash memory, and controls the sensor. The flash memory itself is divided up into several logical partitions. The controller provides access to a public partition when connected to a PC. The pre-installed software on this partition then runs to perform fingerprint detection and authentication. If the fingerprint is valid, the microcontroller then provides access to the protected partition as a mapped drive on the PC.
That's the theory. In practice, USB sticks with the USBest UT176 and UT169 controllers from Taiwan's Afa Technology provide access to the protected partition without any authentication. All you need to do is use the PLscsi tool to send a single USB command – Command Descriptor Block – to the stick for access to the public partition to be replaced by access to the protected one. At first, this flaw seemed to be an undocumented back door, but some sniffing with a USB monitor tool revealed it to be a major design flaw: the controller on the stick does not decide whether to provide access to the partition; the software running on Windows does. The software on the PC uses another command to decide whether read-only write access is possible. Based on the manufacturer's descriptions, you'd expect the biometrics and access control to take place entirely within the stick's microcontroller, an 8032 derivative.
Various sticks affected
In our tests, we found the vulnerability in the MyFlash FP1 from A-Data (USB-ID 1307:1169) and the 1GB Secure Card (USB-ID 7009:1765) sold by 9pay. The JetFlash 210 and 220 fingerprint sticks from Transcend use the chips in question and also provide access to the protected partition after transmission of a single USB command. The UT176 made by CySecure could also suffer from the same flaw, though we have not tested it yet. 9pay confirmed that it was aware of the problem, but said that only "very professional users" would be able to access the protected partition without authentication. The manufacturer says that it will be pointing out this vulnerability in the manual to prevent people from thinking that the fingerprint sensor provides a greater level of security. As a workaround, the firm recommends that users encrypt sensitive data before they save it on the card, which costs around €90 euros. The manufacturer is also thinking about switching to a different chip that would be safer.
We also asked Transcend Afa, the manufacturer of the chip, to comment. Transcend said it would not be able to respond in detail because of the Chinese New Year's festival but did say that if the manufacturer of the controller confirms the bug, Transcend plans to provide a patch for partition security as a firmware update. Afa Technologies did not wish to comment at all, saying instead that we should contact the manufacturer of the sensor chip, LighTuning, which is allegedly responsible for the controller's communication with application programs. We have yet to receive a response.