This hacker's got the gummy touch

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-915580.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
May 16, 2002, 12:10 PM PT

Companies using fingerprint readers to increase security now have to
worry about a new threat: the gummy finger.

A Japanese researcher presented a study on Tuesday at the
International Telecommunications Union's Workshop on Security in
Seoul, Korea, showing that fingerprint readers can be fooled 80
percent of the time by a fake finger created with gelatin sporting
prints lifted from a glass, for example.

The results should be enough to send fingerprint sensor makers back to
the drawing board, said Bruce Schneier, chief technology officer with
Counterpane Internet Security.

"He didn't use expensive equipment or a specialized laboratory," he
wrote in his monthly newsletter Cryptogram, which first reported the
study. "He used $10 of ingredients you could buy and whipped up his
gummy fingers in the equivalent of a home kitchen."

Despite its rudimentary nature, the technique defeated 11 different
commercial fingerprint readers. Biometric security makers, though, are
not quite ready to eat their technology.

"None of this came as a great surprise, except of his positioning
about how easy this is," said Vance Bjorn, chief technology officer
for fingerprint-security product maker Digital Persona. "He has put
together and documented a fairly elaborate process which worked in a
lab environment."

Bjorn stressed that there are a lot of countermeasures that biometrics
makers can take to defeat any threat of "gummy fingers."

In his presentation posted online, Tsutomu Matsumoto, a graduate
student of environment and information science at Yokohama National
University, showed two methods of creating a fake finger using
gelatin.

First, he used molding plastic and gelatin to create a fake
fingerprint from an authorized user's finger in less than an hour.  
Matsumoto calls the result, a flat lozenge of gelatin, a "gummy
finger," and it can fool 11 different fingerprint detectors with
success varying between 70 percent and 95 percent.

Such a technique requires access to someone's finger to make the gummy
model, and thus, is not a large security threat.

A second technique outlined by Matsumoto is far more threatening,
because it uses latent fingerprints left by a person on various
surfaces.

Matsumoto outlined a method to lift fingerprints with a microscope,
clean up the image with digital photography tools, and then print out
the image onto a transparent sheet. The sheet is used to expose a
photosensitive printed circuit board (found in hobby shops), which is
then etched to create fingerprint impressions in the board. Finally,
the gelatin is poured over the etched print and allowed to cool,
creating the gummy finger.

This method had even more success in fooling the 11 different sensors,
gaining authorization anywhere from 80 percent to 100 percent of the
time.

Aside from using easily obtained materials, Cryptogram's Schneier
jokes that a culprit can easily hide the evidence of his crime.

"After it lets you in, eat the evidence," he wrote.

Yet Digital Persona's Bjorn stressed that while the study was
interesting, several factors limit its importance. The technique can
only be used to steal a single person's fingerprint and does not allow
broad access, as do some security flaws. Also, most fingerprint sensor
hardware allows several other parameters, such as body heat, to be
measured, which adds up to higher security.

"You (can) start coupling different factors: temperature, resistance,
color change, and maybe you lock onto a pulse," he said. "If you have
all four of those measures, that would be a very complicated fake
finger to make."

The trade-off, however, is the more variables are included in an
identification equation, the more frequent even a legitimate user
could be denied access.

"Companies just want to have a very quick tap to access," Bjorn
stressed. "There are a lot of ways that we have researched to raise
the bar of security in this matter; it's just the matter of having our
customers drive the need for this."

Perhaps the gummy finger will do just that.

 

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.