[funsec] Mythbusters beat biometric finger print security
dr at kyx.net
Mon Jul 9 05:02:34 CDT 2007
On Saturday 07 July 2007 03:12, Gadi Evron wrote:
> Apparently link has been removed, but exists in 20 other uploads.
> On 2007-07-07 05:07-0500, Gadi Evron wrote:
> >This time, it was about breaking biometric systems with Gummy bears!
> >(see bottom of post for references)
> >I really like this video, which you can watch on YouTube:
> >I have seen this over at Xavier Ashe's The Lazy Genius
> >(http://blog.xavier.ashe.com/blog/_archives/2006/10/2/2381055.html) a
> >longg time ago, but just made a search to find it again and post it
> >here. In the past, I have studied biometrics extensively and how the
> >systems can be beat. But there is nothing like a short video to make
> >your point for you.
> >Original link is from:
> >The original public paper discussing this particular technique of $10
> >worth materials for breaking these systems using Gummy bears is from
> >Tsutomu Matsumoto, a Japanese cryptographer, from around 2002.
> >I don't think his paper was ever online, but his slides were. They seem
> >gone now at a casual search, but I found some other slides by him:
> > Gadi.
Gummy fingers are the older method. Wood glue is a simpler
solution for bypassing these.
The generation of sensors that followed those needed tinfoil to
beat the capacitance sensors...
See starbug's 2006 PacSec presentation at:
Fingerprints are an inherently flawed biometric system... a password
you can't easily change that you leave behind on everything you
touch so it's simple to aquire and defeat... imho using it for any security
application is folly.
Later this week I'm looking in Akihabara for the next generation
of sensors from Fujitsu that look for veins and skin subsurface
details so I can try to get them to starbug. I have full faith that he
will find another simple method to defeat them like all the
previous generations of such devices...
Speaking of fingerprints, it seems that the current terrorism
media fear frenzy has allowed the Japanese policy makers
to rationalize putting in a program similar to the American
one which will mean that next year all foreigners visiting
Japan will be fingerprinted too... There are now videos
announcing and justifying this program by listing a
chronology of recent international terrorist incidents
which plays on screens while you wait in line at
immigration in Japan - implying that fingerprinting will
lead to somehow avoiding such incidents, so I assume they
are getting ready for some negative pushback and PR
over this. But this is something to consider for those
contemplating using this form of biometrics - various
countries' government databases will be yet another
place to aquire the information needed to defeat these
flawed forms of authentication.
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp
More information about the funsec