* Posts by MrMan

1 publicly visible post • joined 3 Apr 2008

Coming up: the fingerprint-grabbing keylogger


@Anonymous Coward above

This is all well and good but the fact of the matter is that the systems AREN'T implemented as you suggest, there is no encryption, the "hardening" of the system essentially breaks down to making it "vandal resistant".

You are essentially using the same line as a couple of RFID manufacturers are using of late, "Yes it's there but it's not a problem there's better systems now" (ignoring the already wide deployment of these systems and the incredibly low likelihood that anybody is going to completely replace their existing system)

Hardening the hardware doesn't make a lot of difference when you have 500m or more of cable running from the access panel to the backend system which runs through your building and no doubt provides say an electrical contractor ample opportunities to place a logger /somewhere/ along the line, one can fairly easily convert wiegand to something else and send it over the air so the actual logging system need not even be IN the building, not to mention that if you DO discover somebody's tapped your access control system you then need to FIND the device in question along the 500m cable run.

This is a real attack, it has real consequences, and being able to reconstruct images of fingerprints passing through the system is a good way along the path to creating an analogue of that fingerprint.

People need to realise that Biometrics are not suitable for AUTHENTICATION or AUTHORISATION, they are suitable to some point for IDENTIFICATION but the access control should not be based solely on them.

The biggest issue with biometrics is that of revoking them if they get stolen...