This hacker's got the gummy touch
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: This hacker's got the gummy touch

  1. #1
    System_Overload
    Guest

    Post This hacker's got the gummy touch

    Companies using fingerprint readers to increase security now have to worry about a new threat: the gummy finger.
    A Japanese researcher presented a study on Tuesday at the International Telecommunications Union's Workshop on Security in Seoul, Korea, showing that fingerprint readers can be fooled 80 percent of the time by a fake finger created with gelatin sporting prints lifted from a glass, for example.

    The results should be enough to send fingerprint sensor makers back to the drawing board, said Bruce Schneier, chief technology officer with Counterpane Internet Security.



    "He didn't use expensive equipment or a specialized laboratory," he wrote in his monthly newsletter Cryptogram, which first reported the study. "He used $10 of ingredients you could buy and whipped up his gummy fingers in the equivalent of a home kitchen."

    Despite its rudimentary nature, the technique defeated 11 different commercial fingerprint readers. Biometric security makers, though, are not quite ready to eat their technology.

    "None of this came as a great surprise, except of his positioning about how easy this is," said Vance Bjorn, chief technology officer for fingerprint-security product maker Digital Persona. "He has put together and documented a fairly elaborate process which worked in a lab environment."

    Bjorn stressed that there are a lot of countermeasures that biometrics makers can take to defeat any threat of "gummy fingers."

    In his presentation posted online, Tsutomu Matsumoto, a graduate student of environment and information science at Yokohama National University, showed two methods of creating a fake finger using gelatin.

    First, he used molding plastic and gelatin to create a fake fingerprint from an authorized user's finger in less than an hour. Matsumoto calls the result, a flat lozenge of gelatin, a "gummy finger," and it can fool 11 different fingerprint detectors with success varying between 70 percent and 95 percent.

    Such a technique requires access to someone's finger to make the gummy model, and thus, is not a large security threat.

    A second technique outlined by Matsumoto is far more threatening, because it uses latent fingerprints left by a person on various surfaces.

    Matsumoto outlined a method to lift fingerprints with a microscope, clean up the image with digital photography tools, and then print out the image onto a transparent sheet. The sheet is used to expose a photosensitive printed circuit board (found in hobby shops), which is then etched to create fingerprint impressions in the board. Finally, the gelatin is poured over the etched print and allowed to cool, creating the gummy finger.

    This method had even more success in fooling the 11 different sensors, gaining authorization anywhere from 80 percent to 100 percent of the time.

    Aside from using easily obtained materials, Cryptogram's Schneier jokes that a culprit can easily hide the evidence of his crime.

    "After it lets you in, eat the evidence," he wrote.

    Yet Digital Persona's Bjorn stressed that while the study was interesting, several factors limit its importance. The technique can only be used to steal a single person's fingerprint and does not allow broad access, as do some security flaws. Also, most fingerprint sensor hardware allows several other parameters, such as body heat, to be measured, which adds up to higher security.

    "You (can) start coupling different factors: temperature, resistance, color change, and maybe you lock onto a pulse," he said. "If you have all four of those measures, that would be a very complicated fake finger to make."

    The trade-off, however, is the more variables are included in an identification equation, the more frequent even a legitimate user could be denied access.

    "Companies just want to have a very quick tap to access," Bjorn stressed. "There are a lot of ways that we have researched to raise the bar of security in this matter; it's just the matter of having our customers drive the need for this."

    Perhaps the gummy finger will do just that.


    System_0verload

  2. #2
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Quoting a source is always a nice thing to do

  3. #3
    System_Overload
    Guest

    Thumbs up

    Source was an email from a buddie....
    I get web news in my emails.....


    System_0verload

  4. #4
    Senior Member Info_Au's Avatar
    Join Date
    Jul 2001
    Location
    Melbourne
    Posts
    273
    "Hot melt glue" will give you the same imprint!!

    Then again your victim will certainly know you stole his print?

  5. #5
    Banned
    Join Date
    Sep 2001
    Posts
    522
    if im not mistaken sparky posted the same thing http://www.antionline.com/showthread...hreadid=228033

    just wanted to share

  6. #6
    System_Overload
    Guest

    Thumbs up

    *lol* sorry I guess your right.... I did not read his thread..... *Mybad*


    System_0verload

  7. #7
    Banned
    Join Date
    Sep 2001
    Posts
    522
    lol its ok, just thought id bring it up to your attention happens every so often, no biggie hehe

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    149
    damn, you can't make something secure
    hip hop rules

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    here is a link 2 the same kinda thing http://www.totse.com/en/bad_ideas/lo...ty/164704.html if any one wants further reading
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  10. #10
    AO Curmudgeon rcgreen's Avatar
    Join Date
    Nov 2001
    Posts
    2,716

    Thumbs up

    There is no technological answer to the
    problems of security.
    Just as someone could create a fake finger,
    you could counterfeit the data sent to verify
    the fingerprint.

    Instead of putting a finger on the scanner,
    you upload a file that emulates the data
    that the scanner would otherwise send to
    the remote host. There's no way it could
    distinguish the difference.

    Also, in order to implement a widespresd
    use of fingerprint scanning, someone would
    have to maintain a database of authorized
    fingerprint data. Steal this database and
    the game is over.

    Security is a moral and human problem,
    not a technical one. There is no digital
    Maginot Line.
    I came in to the world with nothing. I still have most of it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •