A Japanese researcher has demonstrated that some biometric
fingerprint readers can often be fooled into granting access to
unauthorised users with a few pounds-worth of household supplies
and a little ingenuity.
Tsutomu Matsumoto - who is affiliated with the Graduate School on
Environment and Information Sciences at Yokohama National
University in Japan - gained unauthorised access with the aid of a
fake finger moulded out of gelatin.
Matsumoto used the finger on 11 different biometric scanners and
gained access 80% of the time, he claimed.
His next experiment involved drawing latent fingerprints from a
piece of glass and adding those prints to the gelatin finger. After
lifting the fingerprint from the glass, he enhanced it,
photographed it and tweaked the image in Adobe Photoshop.
Matsumoto then printed the fingerprint image onto a transparency
sheet and had it etched into a photosensitive circuit board. The
print on the circuit board was then applied to the gelatin finger.
This technique also allowed access about 80% of the time.
The data seems to contradict the claims of companies that sell
biometric authentication systems. They have said biometrics is one
of the hardest security methods to crack because of the reliance on
the unique physical characteristics of users. Matsumoto, however,
appears to have proved them wrong.
Matsumoto posted his discoveries online, but Bruce Schneier, who
also broke the news in his Crypto-Gram e-mail newsletter, said, "If
he could do this, then any semi-professional can almost certainly
do much, much more.
"All the fingerprint companies have claimed for years that this
kind of thing is impossible. When they read Matsumoto's results,
they're going to claim that they don't really work, or that they
don't apply to them, or that they've fixed the problem. Think twice
before believing them."
Matsumoto's presentation is available online at
www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf