Security companies and government agencies have
been championing the new technology of biometrics as a sure-fire, secure way of
identifying people for background checks and other purposes.
The readers are playing a major role in the federal
government’s effort to fingerprint every hazmat driver in the United States.
But a Japanese
cryptographer has discovered that the process is far from foolproof. In fact,
he says you can easily fool a biometric fingerprint reader with little more
than some super glue, a commonly available electronics doohickey and Gummi
You read that right – Gummi Bears.
The cute little chewy candies they sell near the checkout stand. You can also
use a clear, readily
available form of gelatin made from the same substance.
Cryptographer Tsutomu Matsumoto,
whose technique has been described in several technical journals, lifted a fingerprint
from a common object – such as a drinking glass – for his demonstration. Using
a computer, a digital camera and a circuit board, he transferred the print to the gelatin, and then molded it onto a
to Matsumoto’s study, the method was tested
against 11 commercially available fingerprint readers. The gelatin print worked
80 percent of the time, fooling the high-tech equipment.
Bruce Schneier, the founder and
CTO of Counterpane Internet Security – described by The Register as a “noted cryptographer” himself – pointed out that
what Matsumoto did could be accomplished by virtually anyone.
“Matsumoto is not a professional fake-finger scientist; he’s a
mathematician,” Schneier wrote in the Crypto-Gram newsletter. “He didn’t use expensive
equipment or a specialized laboratory. He used $10 of ingredients you could
buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And
he defeated 11 different commercial fingerprint readers.
“If he could do this, then any semi-professional can almost
certainly do much, much more.”