15 Oct
2004
15 Oct
'04
2:09 a.m.
Alan Barrett <apb@cequrux.com> writes:
On Tue, 12 Oct 2004, John Kelsey wrote:
but there doesn't seem to be a clean process for determining how skilled an attacker needs to be to, say, scan my finger once, and produce either a fake finger or a machine for projecting a fake fingerprint into the reader.
... or a replacement reader that fakes the signals to the rest of the security system.
I've seen a number of smart card/PCMCIA combo devices that to this, they have a discrete fingerprint sensor device connected to a discrete crypto device. You can fake out the fingerprint check portion by tying one of the connecting lines to Vcc or GND. Peter.