Secure thumb drives certainly have an important role to play in protecting data from thieves. However, despite the fact that there is a market for fingerprint USB drives, secure devices based on biometric technology are more vulnerable to security breaches than if they were protected by passwords. Without understanding the vulnerabilities, the arguments for biometrics are seductive:
- An attacker cannot access data without the owner’s finger.
- Keystroke-logging malware has no password to steal.
- It is more convenient to authenticate with a finger scan than to type in passwords.
Fingerprint USBs seem to be the ultimate in security, and they possess the aura of an idea that was once science fiction. But would-be buyers should be fully apprised of the limitations of the technology. Password-protected flash drives might be preferable to fingerprint USB products.
Biometric USB flash drives process scans with the central processing unit (CPU) contained in the drive itself, which means that the processing occurs without the benefit of the horsepower in the attached personal computer. With low-powered onboard CPUs and low-cost scanners, matching is not always reliable. A fingerprint USB flash drive might work for a long time and then fail so that the user is locked out of the data entrusted to the biometric USB flash drive. There is also increasing anecdotal evidence that some people’s fingers are resistant to biometric scanning.
Another challenging aspect of fingerprint USBs makes itself known in corporate settings after a user has resigned or been terminated. Unless the employee cooperates, administrators and officers of the law have no access to the data in a fingerprint USB flash drive. If the security had been based on passwords, the corporate issuer could have provided the drive to an employee with a backdoor password to ensure that the corporation can always access the drives issued to employees.
In addition to scanning challenges such as dry fingers, worn fingers, lotion-covered fingers and sweaty fingers, perhaps the most glaring vulnerability of fingerprint USB drives is that they are capable of being spoofed. Researchers at the Graduate School of Environmental and Information Sciences at Yokohama National University have proven that it is possible to process fingerprint images left on certain surfaces and to reverse engineer accurate artificial copies of the fingers that deposited the images. The researchers were able to construct gummy fingers out of gelatin and silicone that reliably spoof scanners.
The procedures that the researchers used to spoof the readers involved enhancing a fingerprint from a suitable surface with a cyanoacrylate adhesive and then photographing it with a digital camera. They then printed the image on a transparency sheet after boosting the contrast using Adobe Photoshop. The next step was to use the transparency to etch the fingerprint onto a photo-sensitive printed-circuit board in order to create a three-dimensional negative image of the print. The researchers poured gelatin into the resulting mold to create a gummy finger that accepted fingerprint details with sufficient fidelity to spoof scanners about 80 percent of the time.
The fingerprint USB industry is aware of these vulnerabilities, and researchers at Fujitsu and NEC are experimenting with systems that look beyond the arches, loops and whorls in fingerprints to read subcutaneous tissue and vein patterns. However, because we continue to have reservations about present-day scanner-based security, one of the reasons that our review of the Kanguru Bio AES names it best in the fingerprint USB thumb drive product category is that it supports password protection as well as biometric protection. Therefore we recommend the Kanguru Bio AES without any reservations. We also review the Transcend JetFlash 220 USB Flash Drive and the BUSlink Biometric Fingerprint USB Flash Drive, both of which are susceptible to the vulnerabilities inherent in products that rely solely on scanning technology for user authentication. We invite you to read more articles about fingerprint USB drives. And if, for some reason, you do not want the excellent Kanguru Bio AES or we have scared you away from fingerprint USB products altogether, then you might consider reading reviews of secure USB drives that employ password protection with no biometric option.