This hacker's got the gummy touch

A Japanese researcher finds that fingerprint detectors can be fooled 80 percent of the time by a fake finger made of gelatin. Will "Jell-O" be the new hacking tool?

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Companies using fingerprint readers to increase security now have to worry about a new threat: the gummy finger.

A Japanese researcher presented a study on Tuesday at the International Telecommunications Union's Workshop on Security in Seoul, Korea, showing that fingerprint readers can be fooled 80 percent of the time by a fake finger created with gelatin sporting prints lifted from a glass, for example.

The results should be enough to send fingerprint sensor makers back to the drawing board, said Bruce Schneier, chief technology officer with Counterpane Internet Security.

"He didn't use expensive equipment or a specialized laboratory," he wrote in his monthly newsletter Cryptogram, which first reported the study. "He used $10 of ingredients you could buy and whipped up his gummy fingers in the equivalent of a home kitchen."

Despite its rudimentary nature, the technique defeated 11 different commercial fingerprint readers. Biometric security makers, though, are not quite ready to eat their technology.

"None of this came as a great surprise, except of his positioning about how easy this is," said Vance Bjorn, chief technology officer for fingerprint-security product maker Digital Persona. "He has put together and documented a fairly elaborate process which worked in a lab environment."

Bjorn stressed that there are a lot of countermeasures that biometrics makers can take to defeat any threat of "gummy fingers."

In his presentation posted online, Tsutomu Matsumoto, a graduate student of environment and information science at Yokohama National University, showed two methods of creating a fake finger using gelatin.

First, he used molding plastic and gelatin to create a fake fingerprint from an authorized user's finger in less than an hour. Matsumoto calls the result, a flat lozenge of gelatin, a "gummy finger," and it can fool 11 different fingerprint detectors with success varying between 70 percent and 95 percent.

Such a technique requires access to someone's finger to make the gummy model, and thus, is not a large security threat.

A second technique outlined by Matsumoto is far more threatening, because it uses latent fingerprints left by a person on various surfaces.

Matsumoto outlined a method to lift fingerprints with a microscope, clean up the image with digital photography tools, and then print out the image onto a transparent sheet. The sheet is used to expose a photosensitive printed circuit board (found in hobby shops), which is then etched to create fingerprint impressions in the board. Finally, the gelatin is poured over the etched print and allowed to cool, creating the gummy finger.

This method had even more success in fooling the 11 different sensors, gaining authorization anywhere from 80 percent to 100 percent of the time.

Aside from using easily obtained materials, Cryptogram's Schneier jokes that a culprit can easily hide the evidence of his crime.

"After it lets you in, eat the evidence," he wrote.

Yet Digital Persona's Bjorn stressed that while the study was interesting, several factors limit its importance. The technique can only be used to steal a single person's fingerprint and does not allow broad access, as do some security flaws. Also, most fingerprint sensor hardware allows several other parameters, such as body heat, to be measured, which adds up to higher security.

"You (can) start coupling different factors: temperature, resistance, color change, and maybe you lock onto a pulse," he said. "If you have all four of those measures, that would be a very complicated fake finger to make."

The trade-off, however, is the more variables are included in an identification equation, the more frequent even a legitimate user could be denied access.

"Companies just want to have a very quick tap to access," Bjorn stressed. "There are a lot of ways that we have researched to raise the bar of security in this matter; it's just the matter of having our customers drive the need for this."

Perhaps the gummy finger will do just that.