Skip to comments.Sweet bypass for student finger scanner (Kids use Gummi Bears to beat security)
Posted on 10/27/2010 11:47:11 PM PDT by prisoner6
The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance.
Henry Kendall High School, on the NSW Central Coast, has pitched the system to parents as a convenient way for students to clock in and out of school during their irregular hours.
Principal Bob Cox told the ABC that the system was preferred over swipe cards, which students can abuse by signing-in for each other.
But a litany of fingerprint scanners have fallen victim to bypass methods, many of which are explained publicly in detail on the internet. The hacks could potentially be used by students to make replicas of their own fingerprints, or lift those of others from imprints left on the reader.
Japanese cryptographer Tsutomu Matsumoto used gelatin, the ingredient in Gummi Bears, to forge a replica finger that fooled 11 fingerprint scanners during tests in 2002. Gelatine has virtually the same capacitance as a finger's skin, meaning it can fool scanners designed to detect electrical charges within the human body.
"Simply form the clear gelatine finger over your own [which] lets you hide it as you press your own finger onto the sensor. After [the reader] lets you in, eat the evidence," BT chief technology officer Bruce Schneier said of the so-called Gummi Bear attack.
Chris Gatford, director of penetration testing firm HackLabs, has foiled biometric fingerprint scanners before.
"Whether it can be hacked depends on how clever the device is. If it is a reasonable quality, it will look for blood flow and heat, but entry-level models do not."
The NSW Department of Education said in a statement that the software does not store digital copies of fingerprints, but creates templates of unique characteristics.
This should prevent stored fingerprint images from being stolen, but would not prevent students bypassing machines.
The department said the decision to adopt the technology is up to the school, and participation in the scheme is optional.
Fingerprints can be lifted from a variety of surfaces, and then scanned, printed and applied to receptacle mediums which are used to trick scanners.
Finnish researcher Ton van der Putte hacked a scanner used for checkout payments in a chain of stores based in the Netherlands in 2008, while another Finnish researcher Mikko Kiviarju lifted prints (PDF) from Microsoft's now defunct Fingerprint Reader.
What I don't get is if you use the gummi bear to copy your print wouldn't it be a reverse image and shouldn't the scanner realize that?
You might take the print negative on one gummi bear (or more plausibly a headlong slice of a gummi bear), freeze it hard in the freezer, and then use that to imprint a positive copy on a room temperature slice of gummi bear. Just surmising. I never was comfortable with the “pay by finger touch” systems. That would provide a new incentive for a thief to steal your finger.
Ahh...that makes sense!
Future freedom fighters - well, maybe. But I love a good rebel against big brother.
I’m surprised the system isn’t programmed to raise a hullabaloo upon getting a “finger” that it does not recognize. That would discourage amateur system hackers in a hurry, because it’s either perfection the first time or be outed as a hacker.
The very idea that they are using fingerprint scanners is an outrage. This kind of heavy handed fascist sh!t has got to stop!!! They are wasting taxpayers money in tough times to verify school attendance, meanwhile they are brainwashing children into thinking that being tracked by biometrics is okay and acceptable. here’s an idea.. A teacher takes a roll call at class... if a child is not there, they are marked as being absent. But it’s not really about attendance, is it? It is about brainwashing!!!
another easy way is take an imprint using clear scotch tape and a dirty finger. If heart rate or blood flow are an issue just wrap it around your finger and poke some holes in it so it can read your pulse ox.
people find a way
I recently had a part time job that used a finger scanner to punch the time clock. Darn thing worked about 20% of the time.
You have to love adults trying to wrangle kids with technology only to find that the kids defeat their technology with. . . GUMMI BEARS!!! LOLOLOL
The first problem is that the scanners used, en-masse, are not high quality, so false reads are common.
The second problem is that a dirty finger will surely result in a false read.
The third problem is this is a big waste of time and money when we are already over-paying teachers to perform this function!
“Chris Gatford, director of penetration testing firm HackLabs”
JOB TITLE OF THE YEAR
I've dealt with supporting that technology. I hate it, and so usually, do the users that have to use it. It'd be going off on legitimate users right and left. Often times it doesn't recognize fingers that it *does* have on file.
Soon to attend public schools the government will want kids fingerprints, DNA samples, and will use 3D full body scanners on them daily. Once someone's fingerprints and DNA security credentials are stolen, they can't order new ones from the factory.
If you've got a digital image of the fingerprint, you can make a mold pretty easily. I've got some special paper for laser printers that's used for making pc boards that would work. It's like the T-shirt iron-on paper. Print it off with a laser printer, then iron it onto a piece of copper sheet. The iron re-melts the toner and it sticks to the copper, acting as an acid resist. Mask the rest of the copper with some paint and then etch. Clean off the paint and toner, and you have a fingerprint mold.
“Im surprised the system isnt programmed to raise a hullabaloo”
Have a built in Taser. When the kid is flopping on the floor like a fish, everyone know WHO the hacker is. LOL
Uh, if I read this correctly, they used gelatin, not gummi bears. They just call it that because gummi bears happen to contain gelatin. What a bunch of hyperbole.
ha ha ha haha ha ha ha ah aha hah ah ha
oh my dog I LOVE kids
That is AWESOME!!!!!!!!!!!!!!
Not exactly Fair Dinkum. More like fairy dust.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.