Posted on 05/16/2002 10:36:19 PM PDT by general_re
Fun with Fingerprint Readers
Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. These are security systems that attempt to identify people based on their fingerprint. For years the companies selling these devices have claimed that they are very secure, and that it is almost impossible to fool them into accepting a fake finger as genuine. Matsumoto, along with his students at the Yokohama National University, showed that they can be reliably fooled with a little ingenuity and $10 worth of household supplies.
Matsumoto uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.
His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.
Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.
Matsumoto tried these attacks against eleven commercially available fingerprint biometric systems, and was able to reliably fool all of them. The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing. Impressive is an understatement.
There's both a specific and a general moral to take away from this result. Matsumoto is not a professional fake-finger scientist; he's a mathematician. He didn't use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated eleven different commercial fingerprint readers, with both optical and capacitive sensors, and some with "live finger detection" features. (Moistening the gummy finger helps defeat sensors that measure moisture or electrical resistance; it takes some practice to get it right.) If he could do this, then any semi-professional can almost certainly do much much more.
More generally, be very careful before believing claims from security companies. All the fingerprint companies have claimed for years that this kind of thing is impossible. When they read Matsumoto's results, they're going to claim that they don't really work, or that they don't apply to them, or that they've fixed the problem. Think twice before believing them.
Matsumoto's paper is not on the Web. You can get a copy by asking: Tsutomu Matsumoto - tsutomu@mlab.jks.ynu.ac.jp
Here's the reference: T. Matsumoto, H. Matsumoto, K. Yamada, S. Hoshino, "Impact of Artificial Gummy Fingers on Fingerprint Systems," Proceedings of SPIE Vol. #4677, Optical Security and Counterfeit Deterrence Techniques IV, 2002.
Some slides from the presentation are here: http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf
My previous essay on the uses and abuses of biometrics: http://www.counterpane.com/crypto-gram-9808.html#biometrics
Biometrics at the shopping center: pay for your groceries with your thumbprint. http://seattlepi.nwsource.com/local/68217_thumb27.shtml
Subscribe to the (free) Crypto-Gram Newsletter here.
Four years ago the company I work for decided to put thumbprint readers at each computer workstation - that way we could "securely" log-in.
After three months of trying to log-in by thumbprint (and countless hours wasted by computer support people) the system was scrapped.
Failed over 90% of the time.
Democrat fundraiser + latent prints off a glass + "fake finger" = fun with Tommy Daschle.
Well, since you put it that way, I guess there is an upside after all ;)
Does it occur to anyone that this could be used to fool more than just a secuirty device? He's essentially devised a method by which a person's fingerprint (or fingerprint IMAGE) can be used to create a duplicate "finger" which can then be used to leave YOUR fingerprint wherever someone wants to.
The implications for the judicial system is astounding. Criminal lawyers will have a field day casting doubt about the defendant's fingerprints found at the scene of the crime. Every trial will be another OJ Simpson trial.
Lastly, do you suppose there are a few people at the CIA who are very unhappy that this info is now in the public domain?
The in the course of my work, I have visited various secure government facilities since the mid 80s. Over the years, I've noticed all sorts of biometrics devices installed at the entrances to these facilities - fingerprint/hand geometry readers, face recognition systems, even a "booth" that was supposed to combine all of these with a body weight measurement to boot. I have nver seen one in actual day-to-day operation; in fact, most of them were abandoned. I've often wondered how much taxpayer money has been wasted on these things.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.