DIY test
You can find out whether your USB stick can also be "opened" without authentication by using the open source tool PLscsi. A precompiled command line version for in Windows is available; Linux users will have to compile the tool themselves. The command plscsi -w specifies USB drive as a variable. Keep in mind that the fingerprint sticks register two drives on the system when connected to the PC: a virtual CD-ROM and the normal drive. Select the latter and send the command for access (see image below).
The procedure is similar for Linux, but before the command is sent you need to unmount both drives just in case the automounter automatically connected to them when the stick was plugged in. You can find the right drive by using the dmesg command and setting export PLSCSI=/dev/sdb as the variable. You will need administrator rights to perform all of these actions both on Windows and Linux.
The protected partition can be connected under Windows in three steps
In addition to the protected partition, there is another small hidden partition where private PGP keys, passwords, and, apparently, fingerprint data are stored. We did not manage to get access to it, and in our analysis of USB traffic we could not establish whether the fingerprint stored on the hidden partition ever leaves the stick or the card. It would seem that the fingerprint stored is compared within the stick to the fingerprint read from the sensor. It;s all the more unfortunate, then, that the access command comes from outside.
Conclusion
The fingerprint sensors in the products mentioned above apparently only serve one purpose: they mislead interested buyers. They do not provide any significant level of protection. We can only recommend that these products not be purchased. If you want to protect your data effectively on a USB stick with a fingerprint, you would be better off with products such as MXI Security's Stealth MXP, which has integrated hardware encryption. The 1GB version also costs twice as much as 9pay's solution and more than 10 times as much as the A-Data stick. A quite affordable solution that is nonetheless secure is also available: a normal stick, the free TrueCrypt encryption software, and a good password. (dab)
This article was originally published in German in c't magazine 05/08, page 70
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
