Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Australia Education Idle Technology

Aussie Kids Foil Finger Scanner With Gummi Bears 303

Posted by samzenpus from the gummi-security dept.
mask.of.sanity writes "An Australian high school has installed 'secure' fingerprint scanners for roll call for senior students, which savvy kids may be able to circumvent with sweets from their lunch box. The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance. The school principal says the system is better than swipe cards because it stops truant kids getting their mates to sign-in for them. But using the Gummi Bear attack, students can make replicas of their own fingerprints from gelatin, the ingredient in Gummi Bears, to forge a replica finger. The attack worked against a bunch of scanners that detect electrical charges within the human body, since gelatin has virtually the same capacitance as a finger's skin."

*

This discussion has been archived. No new comments can be posted.

Aussie Kids Foil Finger Scanner With Gummi Bears More

Aussie Kids Foil Finger Scanner With Gummi Bears

Comments Filter:

  • Misleading Title (Score:5, Informative)

    by scdeimos ( 632778 ) on Thursday October 28, 2010 @02:33AM (#34046582)
    Nobody has actually foiled the high school fingerprint scanners yet, it's still only in the realm of (likely) possibility - especially after the kids see this story on /.

  • How it's done (gelatin, not Gummi Bears) (Score:5, Informative)

    by PatPending ( 953482 ) on Thursday October 28, 2010 @02:37AM (#34046598)

    Quoting from the end of the fine article (emphasis added by me).

    Tsutomu Matsumoto, a Japanese cryptographer, uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.

    His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.

    Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.

  • Mythbusters did something similar (Score:4, Informative)

    by PatPending ( 953482 ) on Thursday October 28, 2010 @02:46AM (#34046636)

    Until Discovery Communications has it taken down--

    http://www.youtube.com/watch?v=LA4Xx5Noxyo

  • Re:Next up... (Score:5, Informative)

    by chrb ( 1083577 ) on Thursday October 28, 2010 @04:32AM (#34047016)

    Easy, just scan people as they walk by, record their numbers and get yourself an adjustable implant. You could change identities whenever you please. That is probably the easiest to spoof of all.

    Zero-knowledge password proof [wikipedia.org]. We've had the technology for several decades to implement systems where mutual authentication can take place without exposing private keys or passwords.

  • Re:Next up... (Score:4, Informative)

    by Joce640k ( 829181 ) on Thursday October 28, 2010 @04:46AM (#34047064) Homepage

    So... you do what Mythbusters did and make a thin gel fingerprint and stick it to your real finger. You'll have temperature, heartbeat, everything.

    It's an unsupervised machine and input sensors can *always* be fooled. Period.

  • Re:Next up... (Score:3, Informative)

    by Cytotoxic ( 245301 ) on Thursday October 28, 2010 @08:10AM (#34047834)

    Actually, the "drag over" sensor on your laptop is susceptible to gel fakes. The did this on Mythbusters. The scanner was even susceptible to the impressively sophisticated "paper photocopy" method....

  • Re:Next up... (Score:3, Informative)

    by chrb ( 1083577 ) on Thursday October 28, 2010 @11:19AM (#34050494)

    1) That's the least-useful Wikipedia page I've ever seen. It doesn't even discuss proposed methodologies for implementing its subject - it just has an extremely short definition.

    3) ... I'm curious to see how you're going to get the RFID chip to cough up enough information to verify that it knows the private key, without giving away enough information to allow key determination through heuristic analysis anyway. ..

    Yes the Wikipedia article is a bit short, hopefully someone will fix it. I highly recommend Applied Cryptography [schneier.com] as a good starter that will cover the information you're looking for.

Slashdot Top Deals

The only possible interpretation of any research whatever in the `social sciences' is: some do, some don't. -- Ernest Rutherford

Close