Japanese researcher gums up biometrics scanners
A Japanese researcher has demonstrated that some biometric fingerprint readers can often be fooled into granting access to unauthorized users with a few dollars of household supplies and a little ingenuity.
The discovery was disclosed on May 14 in a presentation given by Tsutomu Matsumoto -- who is affiliated with the Graduate School on Environment and Information Sciences at Yokohama National University in Japan -- at the ITU-T Workshop on Security being held in Seoul, South Korea. Matsumoto posted his presentation online but news of the discovery was spread most widely through the new issue of security guru Bruce Schneier's Crypto-Gram e-mail newsletter, which was released Wednesday.
"The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing. Impressive is an understatement," Schneier wrote.
The data seems to contradict the claims of companies that sell biometric authentication systems. They have said biometrics are among the hardest-to-crack security methods since they rely on the unique physical characteristics of their users. Matsumoto, however, was able to gain unauthorized access with two relatively simple techniques, according to Schneier's report on the tests.
Matsumoto performed his experiments on 11 different biometric fingerprint scanners using a fake finger molded out of gelatin. Matsumoto made a plastic mold of a real finger, and then created the false finger by injecting gelatin into the mold. The gelatin finger was able to gain unauthorized access through the 11 fingerprint scanners about 80 percent of the time, according to Schneier.
Matsumoto then attempted a more complicated experiment in which he drew latent fingerprints from a piece of glass and attempted to add those prints to the gelatin finger, Schneier wrote. After lifting the fingerprint from the glass, he enhanced it, photographed it and tweaked it in Adobe Systems Inc.'s Photoshop, he said. Matsumoto then printed the fingerprint onto a transparency sheet and had it etched into a photosensitive circuit board. The print on the circuit board was then applied to the gelatin finger. This technique also allowed access about 80 percent of the time, Schneier wrote.
"If he could do this, then any semi-professional can almost certainly do much, much more," Schneier wrote.
"All the fingerprint companies have claimed for years that this kind of thing is impossible. When they read Matsumoto's results, they're going to claim that they don't really work, or that they don't apply to them, or that they've fixed the problem," Schneier wrote. "Think twice before believing them."
Matsumoto's presentation is available online at http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf.
» posted by abennett
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
