Defeating Fingerprint Readers
[Computer][Weapons][Gadgets]

Let's say you've just purchased (or are considering purchasing) a new biometric finger print reader to secure something. You want to make sure that they're actually half decent and won't generate lots of false positives, right? Here's a quick test that you can perform using ordinary equipment you probably already have at home or can easily buy for cheap. You'll be surprised at how many readers this trick can fool!

First of all, you need to get a sample of a authorized finger print. A good bet is glass surfaces, and if the thing that is being secured is access to a building, there's a good chance that the building has glass doors at the entrance. Bring some cyanoacrylate adhesive and a digital camera with you, and apply it to a fingerprint you can see on the door. This adhesive will enhance the visibility of print. This is the type of glue that model airplanes are built with, so you can find it in hobby stores for one or two dollars. Take a picture of the enhanced print and, if you want don't want to leave any trace of what you did, wash off the adhesive with some remover, and then wash off the remover with water. This will, of course, also wash away the finger print, but hopefully no one will notice a missing print on the door.

Go back home and load up your picture of the finger print into your favorite image editor (e.g. Photoshop or Paint Shop Pro) and increase the contrast until you've clearly got the lines of the print against a blank background. This image will serve as the blueprint for your fake fingerprint.

You need to transform this image into a 3D surface. There are two ways of going about this. The easier way is to find a PCB etching service. They're like those services where you bring in a document on diskette and make colour, binded prints of them, except instead of printing on paper, they print on the boards used to design electronic equipment. Just bring in your image and ask them to print it out (you can also find online services and send the image in and they'll mail you the board); expect to pay between $10 and $30 for this.

The harder way is to buy a photosensitive PCB from an electronics shop and do the printing yourself. The process involves working with toxic chemicals, and a kit will probably cost you around $50, but the advantage is that there's no evidence of you ever sending out an image of a fingerprint. The kit will come with instructions on how to use them. Since they work by having light shone onto the PCB, you may need a darkroom environment as if you were developing photos. You'll also have to print out your image on a transparency-sheet, and put that on top of the PCB, to stop lights from hiting certain regions, and thus having the PCB form the shape of the print.

Once you have a PCB etched with the finger print, go to the grocery store and buy some gummy bears (probably around $2 to $5 for a bag full, and you only need like 1 or 2 bears per finger you want to fake), then melt them, and pour the geletin onto the PCB. Let it cool and it should harden to form a "fake finger" with the appropriate finger print.

Return to the finger print reader, and hide the gummy bear under your index finger. Press your finger onto the reader with the gummy bear underneath it (so that a guard watching you will not see you using a fake finger). This will easily fool 80% of the readers. Of the remaing 20%, the failure may be due to the fact that the reader measures not only the print, but also the electrical conductance of the finger. In that case, lick the gummy finger first, to give it the correct conductive properties, and you should be able to get in. Once inside, eat the gummy finger to destroy the evidence.

Why is this test important? Because just about anybody can do it. If defeating 80% of readers is this easy, just imagine what a professional could accomplish.

This technique was discovered by Tsutomu Matsumoto, a Japanese mathematician (note that he is NOT a security expert), but unfortunately the paper he published describing this attack is not available online (which is why I had to paraphrase the whole thing here). Acknowledgement goes to Bruce Schneider for finding this gem.

 
E-mail this story to a friend.

You must be logged in to post comments.

Sites linking to this post: