May 18th, 2002, 08:03 AM
This hacker's got the gummy touch
Companies using fingerprint readers to increase security now have to worry about a new threat: the gummy finger.
A Japanese researcher presented a study on Tuesday at the International Telecommunications Union's Workshop on Security in Seoul, Korea, showing that fingerprint readers can be fooled 80 percent of the time by a fake finger created with gelatin sporting prints lifted from a glass, for example.
The results should be enough to send fingerprint sensor makers back to the drawing board, said Bruce Schneier, chief technology officer with Counterpane Internet Security.
"He didn't use expensive equipment or a specialized laboratory," he wrote in his monthly newsletter Cryptogram, which first reported the study. "He used $10 of ingredients you could buy and whipped up his gummy fingers in the equivalent of a home kitchen."
Despite its rudimentary nature, the technique defeated 11 different commercial fingerprint readers. Biometric security makers, though, are not quite ready to eat their technology.
"None of this came as a great surprise, except of his positioning about how easy this is," said Vance Bjorn, chief technology officer for fingerprint-security product maker Digital Persona. "He has put together and documented a fairly elaborate process which worked in a lab environment."
Bjorn stressed that there are a lot of countermeasures that biometrics makers can take to defeat any threat of "gummy fingers."
In his presentation posted online, Tsutomu Matsumoto, a graduate student of environment and information science at Yokohama National University, showed two methods of creating a fake finger using gelatin.
First, he used molding plastic and gelatin to create a fake fingerprint from an authorized user's finger in less than an hour. Matsumoto calls the result, a flat lozenge of gelatin, a "gummy finger," and it can fool 11 different fingerprint detectors with success varying between 70 percent and 95 percent.
Such a technique requires access to someone's finger to make the gummy model, and thus, is not a large security threat.
A second technique outlined by Matsumoto is far more threatening, because it uses latent fingerprints left by a person on various surfaces.
Matsumoto outlined a method to lift fingerprints with a microscope, clean up the image with digital photography tools, and then print out the image onto a transparent sheet. The sheet is used to expose a photosensitive printed circuit board (found in hobby shops), which is then etched to create fingerprint impressions in the board. Finally, the gelatin is poured over the etched print and allowed to cool, creating the gummy finger.
This method had even more success in fooling the 11 different sensors, gaining authorization anywhere from 80 percent to 100 percent of the time.
Aside from using easily obtained materials, Cryptogram's Schneier jokes that a culprit can easily hide the evidence of his crime.
"After it lets you in, eat the evidence," he wrote.
Yet Digital Persona's Bjorn stressed that while the study was interesting, several factors limit its importance. The technique can only be used to steal a single person's fingerprint and does not allow broad access, as do some security flaws. Also, most fingerprint sensor hardware allows several other parameters, such as body heat, to be measured, which adds up to higher security.
"You (can) start coupling different factors: temperature, resistance, color change, and maybe you lock onto a pulse," he said. "If you have all four of those measures, that would be a very complicated fake finger to make."
The trade-off, however, is the more variables are included in an identification equation, the more frequent even a legitimate user could be denied access.
"Companies just want to have a very quick tap to access," Bjorn stressed. "There are a lot of ways that we have researched to raise the bar of security in this matter; it's just the matter of having our customers drive the need for this."
Perhaps the gummy finger will do just that.
May 18th, 2002, 08:09 AM
Quoting a source is always a nice thing to do
May 18th, 2002, 08:17 AM
Source was an email from a buddie....
I get web news in my emails.....
May 18th, 2002, 08:35 AM
"Hot melt glue" will give you the same imprint!!
Then again your victim will certainly know you stole his print?
May 18th, 2002, 08:38 AM
if im not mistaken sparky posted the same thing http://www.antionline.com/showthread...hreadid=228033
just wanted to share
May 18th, 2002, 08:53 AM
*lol* sorry I guess your right.... I did not read his thread..... *Mybad*
May 18th, 2002, 08:54 AM
lol its ok, just thought id bring it up to your attention happens every so often, no biggie hehe
May 18th, 2002, 11:41 AM
damn, you can't make something secure
hip hop rules
May 18th, 2002, 12:20 PM
here is a link 2 the same kinda thing http://www.totse.com/en/bad_ideas/lo...ty/164704.html if any one wants further reading
By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
The 20th century pharoes have the slaves demanding work
May 18th, 2002, 06:05 PM
There is no technological answer to the
problems of security.
Just as someone could create a fake finger,
you could counterfeit the data sent to verify
Instead of putting a finger on the scanner,
you upload a file that emulates the data
that the scanner would otherwise send to
the remote host. There's no way it could
distinguish the difference.
Also, in order to implement a widespresd
use of fingerprint scanning, someone would
have to maintain a database of authorized
fingerprint data. Steal this database and
the game is over.
Security is a moral and human problem,
not a technical one. There is no digital
I came in to the world with nothing. I still have most of it.