Aussie Kids Foil Finger Scanner With Gummi Bears 303
mask.of.sanity writes "An Australian high school has installed 'secure' fingerprint scanners for roll call for senior students, which savvy kids may be able to circumvent with sweets from their lunch box. The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance.
The school principal says the system is better than swipe cards because it stops truant kids getting their mates to sign-in for them. But using the Gummi Bear attack, students can make replicas of their own fingerprints from gelatin, the ingredient in Gummi Bears, to forge a replica finger. The attack worked against a bunch of scanners that detect electrical charges within the human body, since gelatin has virtually the same capacitance as a finger's skin."
Misleading Title (Score:5, Informative)
How it's done (gelatin, not Gummi Bears) (Score:5, Informative)
Quoting from the end of the fine article (emphasis added by me).
Tsutomu Matsumoto, a Japanese cryptographer, uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.
His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.
Gummy fingers can even fool sensors being watched by guards. Simply form the clear gelatin finger over your own. This lets you hide it as you press your own finger onto the sensor. After it lets you in, eat the evidence.
Mythbusters did something similar (Score:4, Informative)
Until Discovery Communications has it taken down--
http://www.youtube.com/watch?v=LA4Xx5Noxyo
Re:Next up... (Score:5, Informative)
Easy, just scan people as they walk by, record their numbers and get yourself an adjustable implant. You could change identities whenever you please. That is probably the easiest to spoof of all.
Zero-knowledge password proof [wikipedia.org]. We've had the technology for several decades to implement systems where mutual authentication can take place without exposing private keys or passwords.
Re:Next up... (Score:4, Informative)
So... you do what Mythbusters did and make a thin gel fingerprint and stick it to your real finger. You'll have temperature, heartbeat, everything.
It's an unsupervised machine and input sensors can *always* be fooled. Period.
Re:Next up... (Score:3, Informative)
Actually, the "drag over" sensor on your laptop is susceptible to gel fakes. The did this on Mythbusters. The scanner was even susceptible to the impressively sophisticated "paper photocopy" method....
Re:Next up... (Score:3, Informative)
1) That's the least-useful Wikipedia page I've ever seen. It doesn't even discuss proposed methodologies for implementing its subject - it just has an extremely short definition.
3) ... I'm curious to see how you're going to get the RFID chip to cough up enough information to verify that it knows the private key, without giving away enough information to allow key determination through heuristic analysis anyway. ..
Yes the Wikipedia article is a bit short, hopefully someone will fix it. I highly recommend Applied Cryptography [schneier.com] as a good starter that will cover the information you're looking for.