[funsec] Mythbusters beat biometric finger print security

Dragos Ruiu dr at kyx.net
Mon Jul 9 05:02:34 CDT 2007


On Saturday 07 July 2007 03:12, Gadi Evron wrote:
> Apparently link has been removed, but exists in 20 other uploads.
> Wierd:
>
> http://www.youtube.com/watch?v=xq_1-bJMw9Q
>
> On 2007-07-07 05:07-0500, Gadi Evron wrote:
> >This time, it was about breaking biometric systems with Gummy bears!
> >(see bottom of post for references)
> >
> >I really like this video, which you can watch on YouTube:
> >http://www.youtube.com/watch?v=oXyFmieZjiE
> >
> >I have seen this over at Xavier Ashe's The Lazy Genius
> >(http://blog.xavier.ashe.com/blog/_archives/2006/10/2/2381055.html) a
> >longg time ago, but just made a search to find it again and post it
> >here. In the past, I have studied biometrics extensively and how the
> >systems can be beat. But there is nothing like a short video to make
> >your point for you.
> >
> >Original link is from:
> >http://blogs.technet.com/steriley/archive/2006/09/20/457845.aspx
> >
> >The original public paper discussing this particular technique of $10
> >worth materials for breaking these systems using Gummy bears is from
> >Tsutomu Matsumoto, a Japanese cryptographer, from around 2002.
> >I don't think his paper was ever online, but his slides were. They seem
> >gone now at a casual search, but I found some other slides by him:
> >http://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf
> >
> >	Gadi.


Gummy fingers are the older method. Wood glue is a simpler 
solution for bypassing these.

The generation of sensors that followed those needed tinfoil to 
beat the capacitance sensors...

See starbug's 2006 PacSec presentation at:

 http://pacsec.jp/psj06/psj06krissler-e.pdf

Fingerprints are an inherently flawed biometric system... a password 
you can't easily change that you leave behind on everything you 
touch so it's simple to aquire and defeat... imho using it for any security 
application is folly.

Later this week I'm looking in Akihabara for the next generation 
of sensors from Fujitsu that look for veins and skin subsurface 
details so I can try to get them to starbug. I have full faith that he 
will find another simple method to defeat them like all the 
previous generations of such devices... 

cheers,
--dr

P.S.
Speaking of fingerprints, it seems that the current terrorism 
media fear frenzy has allowed the Japanese policy makers 
to rationalize putting in a program similar to the American 
one which will mean that next year all foreigners visiting 
Japan will be fingerprinted too...  There are now videos 
announcing and justifying this program by listing a 
chronology of recent international terrorist incidents 
which plays on screens while you wait in line at 
immigration in Japan - implying that  fingerprinting will
lead to somehow avoiding such incidents, so I assume they 
are getting ready for some negative pushback and PR 
over this. But this is something to consider for those 
contemplating using this form of biometrics - various 
countries' government databases will be yet another 
place to aquire the information needed to defeat these 
flawed forms of authentication.

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan   November 29/30 - 2007    http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp


More information about the funsec mailing list