Security threats Toolkit

Jelly babies dupe fingerprint security

Tags:
Fingerprint Security Fake Forgery Hack Gelatin,
Biometric

Rupert Goodwins GameSpot Europe

Published: 16 May 2002 16:03 BST

A Japanese researcher claims to have found a way to fool fingerprint scanners up to 80 percent of the time, using household materials and a little lateral thinking.

According to the security newsletter Crypto-Gram, Tsutomu Matsumoto from Yokohama National University has evolved a technique that takes casts from fingers and builds fake digits from gelatin -- the stuff of jelly babies. With care, he says, all 11 of the current fingerprint scanning technologies he tested give a false positive 80 percent of the time using the fraudulent jelly extremity.

Anyone can do this, says the researcher. First, take some free-molding plastic, obtainable from hobby stores. Take a cast of your finger. Once the plastic has hardened, pour in gelatin, available in sheets from grocery stores, and let it set. Optionally, you can then hollow out the fake finger and slip it over your own, bringing it up to body temperature for sensors that check that; you can also moisten it slightly to give it the same conductivity and capacitance as real flesh. Matsumoto also points out that if challenged by a security guard, you can eat the evidence.

In a more practical vein, Matsumoto has demonstrated a variation that works from fingerprints left on glass or other surfaces. First, he enhances it with cyanoacrylate adhesive -- superglue -- which is a standard technique used by forensic specialists to make prints visible. Then he takes a picture with a digital camera, enhances the contrast in PhotoShop and prints it on a transparency. He then uses this to etch a photosensitive copper-plated printed circuit board -- widely used by electronic engineers and hobbyists. This produces a 3D relief map of the original fingerprint, which can be then used to create a cast. The rest is as before.

Bruce Schneier, editor of Crypto-Gram, points out that Matsumoto is not a professional faker but a mathematician and conducted his experiments in what was in effect a kitchen environment. If he can achieve a reliable 80 percent hit rate, Scheier says, even semi-professionals can do much, much more and the results are enough to scrap all fingerprint recognition systems immediately.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.