Biometric security vs. $10 and a kitchen: guess who wins?

From Cryptogram, an encouraging note for the DIY crowd:

Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at biometric fingerprint devices. These are security systems that attempt to identify people based on their fingerprint. For years the companies selling these devices have claimed that they are very secure, and that it is almost impossible to fool them into accepting a fake finger as genuine. Matsumoto, along with his students at the Yokohama National University, showed that they can be reliably fooled with a little ingenuity and $10 worth of household supplies.

Matsumoto uses gelatin, the stuff that Gummi Bears are made out of. First he takes a live finger and makes a plastic mold. (He uses a free-molding plastic used to make plastic molds, and is sold at hobby shops.) Then he pours liquid gelatin into the mold and lets it harden. (The gelatin comes in solid sheets, and is used to make jellied meats, soups, and candies, and is sold in grocery stores.) This gelatin fake finger fools fingerprint detectors about 80% of the time.

His more interesting experiment involves latent fingerprints. He takes a fingerprint left on a piece of glass, enhances it with a cyanoacrylate adhesive, and then photographs it with a digital camera. Using PhotoShop, he improves the contrast and prints the fingerprint onto a transparency sheet. Then, he takes a photo-sensitive printed-circuit board (PCB) and uses the fingerprint transparency to etch the fingerprint into the copper, making it three-dimensional. (You can find photo-sensitive PCBs, along with instructions for use, in most electronics hobby shops.) Finally, he makes a gelatin finger using the print on the PCB. This also fools fingerprint detectors about 80% of the time.

I’ll safely assume that the “photo-sensitive printed-circuit board(PCB)” step could be circumvented, substituting the toner transfer method. From the specifications I’ve seen (on at least some) capacitive sensors their limited resolution wouldn’t ever catch the <10mil reproduction errors that might occur.

When life (or security) becomes a bit stream, the granularity of the bit stream becomes the “event horizon”, beyond which there’s no line between that which is ‘real’ and that which is ‘simulated’.
Simulated fingerprints rawk.

ANOTHER THOUGHT (19 April): Speaking of kitchens… I wonder if instead of the gelatin I could get something like egg whites to work just as well? If I can come across an available finger-scan system I”m going to have to give that a try, to see just how low-tech I can go.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s