You can change your password, but not your finger

By on May 1, 2005

We didn’t post anything about the fingerprint deal? Seriously? We’re getting slow.

Japanese cryptographer Tsutomu Matsumoto has figured out a way to defeat a fingerprint reader about 80% of the time. “Using his crazy super-cryptographer skills!”, you say. No, not really. It’s all about the Gummi Bears:

First Tsutomu Matsumoto used gelatine (as found in Gummi Bears and other sweets) and a plastic mould to create a fake finger, which he found fooled fingerprint detectors four times out of five.

Flushed with his success, he took latent fingerprints from a glass, which he enhanced with a cyanoacrylate adhesive (super-glue fumes) and photographed with a digital camera. Using PhotoShop, he improved the contrast of the image and printed the fingerprint onto a transparency sheet.

Here comes the clever bit.

Matsumoto took a photo-sensitive printed-circuit board (which can be found in many electronic hobby shops) and used the fingerprint transparency to etch the fingerprint into the copper.

The PCB kit is used to turn a latent print into a 3D image to be used as a mold for your Gummi fingerprint. You could even put it over your own finger to conceal it with a guard watching, then eat the delicious evidence once you’re past the scanner. Not even James Bond got a break-in tool that doubled as a snack.

“Crazy Aaron” makes a pretty good point on why biometrics are not the end-all of security tools:

If someone rips off a password of yours, you can change it. If someone steals your credit card, you can cancel it. Lost a key? Change your locks.

But if someone figures out a way to duplicate your fingerprint or voiceprint or retinal or iris ID, there’s nothing you can do. Well, OK, you can switch to a different finger or a different eye, but nature puts certain hard limits on how many times you can do that. Once you’re out of organs, you’re out of luck.

The limited number of biometrics each person carries around with them also makes it impossible to have a large number of different biometric keys.

So here’s a twist: IBM has recently used the advertising equivalent of the Nuclear Option, $6M Lee Majors, to tout their new notebook with integrated fingerprint scanner. The fingerprint scanner ties into a password keyring that lets you log into your machine, websites, you name it. So suppose I steal your laptop. With an ordinary laptop, I would have a hard time getting into your stuff because I don’t have the passwords. If I steal your Thinkpad, though, I do have your password in the form of the latent prints you left on the lid, the CD drive, and every key on the keyboard. D’oh!



  1. Did you notice how IBM’s fingerprint scanner worked? It wasn’t a flat surface onto which you pressed your finger. It’s a narrow reader over which you swipe your finger.

    Wouldn’t this defeat the Gummi Bears hack?

  2. Almost all fingerprint readers are narrow readers like that. They work in much the same way that a sattelite takes pictures of the earth through a thin slit, and the results are pieced together to make an image. The motion of your finger across the slit gives the computer an image of the whole fingerprint.

    Supposedly, most scanners work by either measuring the resistance variations on the finger, or by the distances in the grooves of the finger with a sort of mini-radar. The ‘radar’ ones would quite likely be fooled. I don’t know about the resistive ones. If gummis don’t work for those, then perhaps ballistics gel (of MythBusters fame) would, since it supposedly has similar resistance values as people parts.

  3. Sorry folks, but I gotta pipe in here. Having several years experience with biometric identification devices – yes, some of the low-end devices can probably be “gummied” just as illegals coming across the US/Mex border run an ink pen across their finger to beat the fingerprint device — that is until DOJ/INS got smart and got devices that either use sonographic technologies, low-level electrical resistance and/or vascular activity.

    Moreover, we’re talking “good guy” systems here. You walk up to a device and identify yourself with a smart card, voice, keypad, what-not. You then put finger on reader which confirms that you are who you say you are. Considering the type of systems guarded with “good guy” systems like this, the gummie bear approach is going to fail more often or not because of the degree of social engineering required to defeat it.

    This is nothing more than press people gone wild on some guy getting some press for … candy.

Comments are closed. If you have something you really want to say, email and we‘ll get it added for you.