funsec mailing list archives
Re: Mythbusters beat biometric finger print security
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 9 Jul 2007 03:02:34 -0700
On Saturday 07 July 2007 03:12, Gadi Evron wrote:
Apparently link has been removed, but exists in 20 other uploads. Wierd: http://www.youtube.com/watch?v=xq_1-bJMw9Q On 2007-07-07 05:07-0500, Gadi Evron wrote:This time, it was about breaking biometric systems with Gummy bears! (see bottom of post for references) I really like this video, which you can watch on YouTube: http://www.youtube.com/watch?v=oXyFmieZjiE I have seen this over at Xavier Ashe's The Lazy Genius (http://blog.xavier.ashe.com/blog/_archives/2006/10/2/2381055.html) a longg time ago, but just made a search to find it again and post it here. In the past, I have studied biometrics extensively and how the systems can be beat. But there is nothing like a short video to make your point for you. Original link is from: http://blogs.technet.com/steriley/archive/2006/09/20/457845.aspx The original public paper discussing this particular technique of $10 worth materials for breaking these systems using Gummy bears is from Tsutomu Matsumoto, a Japanese cryptographer, from around 2002. I don't think his paper was ever online, but his slides were. They seem gone now at a casual search, but I found some other slides by him: http://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf Gadi.
Gummy fingers are the older method. Wood glue is a simpler solution for bypassing these. The generation of sensors that followed those needed tinfoil to beat the capacitance sensors... See starbug's 2006 PacSec presentation at: http://pacsec.jp/psj06/psj06krissler-e.pdf Fingerprints are an inherently flawed biometric system... a password you can't easily change that you leave behind on everything you touch so it's simple to aquire and defeat... imho using it for any security application is folly. Later this week I'm looking in Akihabara for the next generation of sensors from Fujitsu that look for veins and skin subsurface details so I can try to get them to starbug. I have full faith that he will find another simple method to defeat them like all the previous generations of such devices... cheers, --dr P.S. Speaking of fingerprints, it seems that the current terrorism media fear frenzy has allowed the Japanese policy makers to rationalize putting in a program similar to the American one which will mean that next year all foreigners visiting Japan will be fingerprinted too... There are now videos announcing and justifying this program by listing a chronology of recent international terrorist incidents which plays on screens while you wait in line at immigration in Japan - implying that fingerprinting will lead to somehow avoiding such incidents, so I assume they are getting ready for some negative pushback and PR over this. But this is something to consider for those contemplating using this form of biometrics - various countries' government databases will be yet another place to aquire the information needed to defeat these flawed forms of authentication. -- World Security Pros. Cutting Edge Training, Tools, and Techniques Tokyo, Japan November 29/30 - 2007 http://pacsec.jp pgpkey http://dragos.com/ kyxpgp _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Mythbusters beat biometric finger print security Gadi Evron (Jul 07)
- Re: Mythbusters beat biometric finger print security Gadi Evron (Jul 07)
- Re: Mythbusters beat biometric finger print security Dragos Ruiu (Jul 09)
- Re: Mythbusters beat biometric finger print security der Mouse (Jul 09)
- Re: Mythbusters beat biometric finger print security Dragos Ruiu (Jul 09)
- Re: Mythbusters beat biometric finger print security C Q (Jul 07)
- RE: Mythbusters beat biometric finger print security Larry Seltzer (Jul 07)
- Re: Mythbusters beat biometric finger print security Kurt Grutzmacher (Jul 07)
- Re: Mythbusters beat biometric finger print security kitsune (Jul 07)
- Re: Mythbusters beat biometric finger print security C Q (Jul 07)
- Re: Mythbusters beat biometric finger print security Dr. Neal Krawetz (Jul 07)
- Re: Mythbusters beat biometric finger print security Andy Cunningham (Jul 07)
- R: Mythbusters beat biometric finger print security Cornali Remo (Jul 08)
- Re: Mythbusters beat biometric finger print security der Mouse (Jul 09)
- RE: Mythbusters beat biometric finger print security Larry Seltzer (Jul 07)
- Re: Mythbusters beat biometric finger print security Gadi Evron (Jul 07)