Cryptographer: Biometric readers far from foolproof

| 3/15/2005

Security companies and government agencies have been championing the new technology of biometrics as a sure-fire, secure way of identifying people for background checks and other purposes.

The readers are playing a major role in the federal government’s effort to fingerprint every hazmat driver in the United States.

But a Japanese cryptographer has discovered that the process is far from foolproof. In fact, he says you can easily fool a biometric fingerprint reader with little more than some super glue, a commonly available electronics doohickey and Gummi Bears.

You read that right – Gummi Bears. The cute little chewy candies they sell near the checkout stand. You can also use a clear, readily available form of gelatin made from the same substance.

Cryptographer Tsutomu Matsumoto, whose technique has been described in several technical journals, lifted a fingerprint from a common object – such as a drinking glass – for his demonstration. Using a computer, a digital camera and a circuit board, he transferred the print to the gelatin, and then molded it onto a fingertip.

According to Matsumoto’s study, the method was tested against 11 commercially available fingerprint readers. The gelatin print worked 80 percent of the time, fooling the high-tech equipment.

Bruce Schneier, the founder and CTO of Counterpane Internet Security – described by The Register as a “noted cryptographer” himself – pointed out that what Matsumoto did could be accomplished by virtually anyone.

“Matsumoto is not a professional fake-finger scientist; he’s a mathematician,” Schneier wrote in the Crypto-Gram newsletter. “He didn’t use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated 11 different commercial fingerprint readers.

“If he could do this, then any semi-professional can almost certainly do much, much more.”