Topic: un with fingerprints...actually
started by: fatalbert
Posted by fatalbert on May 16 2002,21:11
Fun with Fingerprint ReadersTsutomu Matsumoto, a Japanese cryptographer, recently decided to look at
biometric fingerprint devices. These are security systems that attempt to
identify people based on their fingerprint. For years the companies
selling these devices have claimed that they are very secure, and that it
is almost impossible to fool them into accepting a fake finger as
genuine. Matsumoto, along with his students at the Yokohama National
University, showed that they can be reliably fooled with a little ingenuity
and $10 worth of household supplies.
Matsumoto uses gelatin, the stuff that Gummi Bears are made out of. First
he takes a live finger and makes a plastic mold. (He uses a free-molding
plastic used to make plastic molds, and is sold at hobby shops.) Then he
pours liquid gelatin into the mold and lets it harden. (The gelatin comes
in solid sheets, and is used to make jellied meats, soups, and candies, and
is sold in grocery stores.) This gelatin fake finger fools fingerprint
detectors about 80% of the time.
His more interesting experiment involves latent fingerprints. He takes a
fingerprint left on a piece of glass, enhances it with a cyanoacrylate
adhesive, and then photographs it with a digital camera. Using PhotoShop,
he improves the contrast and prints the fingerprint onto a transparency
sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and
uses the fingerprint transparency to etch the fingerprint into the copper,
making it three-dimensional. (You can find photo-sensitive PCBs, along
with instructions for use, in most electronics hobby shops.) Finally, he
makes a gelatin finger using the print on the PCB. This also fools
fingerprint detectors about 80% of the time.
Gummy fingers can even fool sensors being watched by guards. Simply form
the clear gelatin finger over your own. This lets you hide it as you press
your own finger onto the sensor. After it lets you in, eat the evidence.
Matsumoto tried these attacks against eleven commercially available
fingerprint biometric systems, and was able to reliably fool all of
them. The results are enough to scrap the systems completely, and to send
the various fingerprint biometric companies packing. Impressive is an
understatement.
There's both a specific and a general moral to take away from this
result. Matsumoto is not a professional fake-finger scientist; he's a
mathematician. He didn't use expensive equipment or a specialized
laboratory. He used $10 of ingredients you could buy, and whipped up his
gummy fingers in the equivalent of a home kitchen. And he defeated eleven
different commercial fingerprint readers, with both optical and capacitive
sensors, and some with "live finger detection" features. (Moistening the
gummy finger helps defeat sensors that measure moisture or electrical
resistance; it takes some practice to get it right.) If he could do this,
then any semi-professional can almost certainly do much much more.
More generally, be very careful before believing claims from security
companies. All the fingerprint companies have claimed for years that this
kind of thing is impossible. When they read Matsumoto's results, they're
going to claim that they don't really work, or that they don't apply to
them, or that they've fixed the problem. Think twice before believing them.
Matsumoto's paper is not on the Web. You can get a copy by asking:
tsutomu@mlab.jks.ynu.ac.jp Tsutomu Matsumoto
Here's the reference:
T. Matsumoto, H. Matsumoto, K. Yamada, S. Hoshino, "Impact of Artificial
Gummy Fingers on Fingerprint Systems," Proceedings of SPIE Vol. #4677,
Optical Security and Counterfeit Deterrence Techniques IV, 2002.
Some slides from the presentation are here:
< slides >
Some guy's essay on the uses and abuses of biometrics:
< essay >
Biometrics at the shopping center: pay for your groceries with your
thumbprint.
< free groceries! >
Posted by editor on May 17 2002,00:35
Presto!Instant content for Detnet's site!
FB, would you mind bookmarking this for a couple weeks and then you can upload it when the site is up?
It's perfect!
Posted by Necromancer on May 17 2002,00:50
james bond and mission impossible fans have known this for years!surely you've seen a spy film at some point. they do it all the time in them.
Posted by editor on May 17 2002,03:55
And they can drive tanks, swim underwater for 3 minutes with no air...This is real!