May 17, 2002, 10:37 AM — A Japanese researcher has demonstrated that some biometric fingerprint readers can often be fooled into granting access to unauthorized users with a few dollars of household supplies and a little ingenuity.
The discovery was disclosed on May 14 in a presentation given by Tsutomu Matsumoto -- who is affiliated with the Graduate School on Environment and Information Sciences at Yokohama National University in Japan -- at the ITU-T Workshop on Security being held in Seoul, South Korea. Matsumoto posted his presentation online but news of the discovery was spread most widely through the new issue of security guru Bruce Schneier's Crypto-Gram e-mail newsletter, which was released Wednesday.
"The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing. Impressive is an understatement," Schneier wrote.
The data seems to contradict the claims of companies that sell biometric authentication systems. They have said biometrics are among the hardest-to-crack security methods since they rely on the unique physical characteristics of their users. Matsumoto, however, was able to gain unauthorized access with two relatively simple techniques, according to Schneier's report on the tests.
Matsumoto performed his experiments on 11 different biometric fingerprint scanners using a fake finger molded out of gelatin. Matsumoto made a plastic mold of a real finger, and then created the false finger by injecting gelatin into the mold. The gelatin finger was able to gain unauthorized access through the 11 fingerprint scanners about 80 percent of the time, according to Schneier.
Matsumoto then attempted a more complicated experiment in which he drew latent fingerprints from a piece of glass and attempted to add those prints to the gelatin finger, Schneier wrote. After lifting the fingerprint from the glass, he enhanced it, photographed it and tweaked it in Adobe Systems Inc.'s Photoshop, he said. Matsumoto then printed the fingerprint onto a transparency sheet and had it etched into a photosensitive circuit board. The print on the circuit board was then applied to the gelatin finger. This technique also allowed access about 80 percent of the time, Schneier wrote.
"If he could do this, then any semi-professional can almost certainly do much, much more," Schneier wrote.
"All the fingerprint companies have claimed for years that this kind of thing is impossible. When they read Matsumoto's results, they're going to claim that they don't really work, or that they don't apply to them, or that they've fixed the problem," Schneier wrote. "Think twice before believing them."
Matsumoto's presentation is available online at http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf.