[ISN] This hacker's got the gummy touch

From: InfoSec News (isnat_private)
Date: Fri May 17 2002 - 02:49:19 PDT

  • Next message: InfoSec News: "[ISN] Sex industry hit by cyber turf war"

    By Robert Lemos 
    Staff Writer, CNET News.com
    May 16, 2002, 12:10 PM PT
    Companies using fingerprint readers to increase security now have to
    worry about a new threat: the gummy finger.
    A Japanese researcher presented a study on Tuesday at the
    International Telecommunications Union's Workshop on Security in
    Seoul, Korea, showing that fingerprint readers can be fooled 80
    percent of the time by a fake finger created with gelatin sporting
    prints lifted from a glass, for example.
    The results should be enough to send fingerprint sensor makers back to
    the drawing board, said Bruce Schneier, chief technology officer with
    Counterpane Internet Security.
    "He didn't use expensive equipment or a specialized laboratory," he
    wrote in his monthly newsletter Cryptogram, which first reported the
    study. "He used $10 of ingredients you could buy and whipped up his
    gummy fingers in the equivalent of a home kitchen."
    Despite its rudimentary nature, the technique defeated 11 different
    commercial fingerprint readers. Biometric security makers, though, are
    not quite ready to eat their technology.
    "None of this came as a great surprise, except of his positioning
    about how easy this is," said Vance Bjorn, chief technology officer
    for fingerprint-security product maker Digital Persona. "He has put
    together and documented a fairly elaborate process which worked in a
    lab environment."
    Bjorn stressed that there are a lot of countermeasures that biometrics
    makers can take to defeat any threat of "gummy fingers."
    In his presentation posted online, Tsutomu Matsumoto, a graduate
    student of environment and information science at Yokohama National
    University, showed two methods of creating a fake finger using
    First, he used molding plastic and gelatin to create a fake
    fingerprint from an authorized user's finger in less than an hour.  
    Matsumoto calls the result, a flat lozenge of gelatin, a "gummy
    finger," and it can fool 11 different fingerprint detectors with
    success varying between 70 percent and 95 percent.
    Such a technique requires access to someone's finger to make the gummy
    model, and thus, is not a large security threat.
    A second technique outlined by Matsumoto is far more threatening,
    because it uses latent fingerprints left by a person on various
    Matsumoto outlined a method to lift fingerprints with a microscope,
    clean up the image with digital photography tools, and then print out
    the image onto a transparent sheet. The sheet is used to expose a
    photosensitive printed circuit board (found in hobby shops), which is
    then etched to create fingerprint impressions in the board. Finally,
    the gelatin is poured over the etched print and allowed to cool,
    creating the gummy finger.
    This method had even more success in fooling the 11 different sensors,
    gaining authorization anywhere from 80 percent to 100 percent of the
    Aside from using easily obtained materials, Cryptogram's Schneier
    jokes that a culprit can easily hide the evidence of his crime.
    "After it lets you in, eat the evidence," he wrote.
    Yet Digital Persona's Bjorn stressed that while the study was
    interesting, several factors limit its importance. The technique can
    only be used to steal a single person's fingerprint and does not allow
    broad access, as do some security flaws. Also, most fingerprint sensor
    hardware allows several other parameters, such as body heat, to be
    measured, which adds up to higher security.
    "You (can) start coupling different factors: temperature, resistance,
    color change, and maybe you lock onto a pulse," he said. "If you have
    all four of those measures, that would be a very complicated fake
    finger to make."
    The trade-off, however, is the more variables are included in an
    identification equation, the more frequent even a legitimate user
    could be denied access.
    "Companies just want to have a very quick tap to access," Bjorn
    stressed. "There are a lot of ways that we have researched to raise
    the bar of security in this matter; it's just the matter of having our
    customers drive the need for this."
    Perhaps the gummy finger will do just that.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri May 17 2002 - 07:15:10 PDT