Hands On: Gummi Bears Trick a Fingerprint Scanner
For this story, I cooked up all kinds of ways to test a couple of fingerprint readers and an iris recognition device. My tests were mostly rudimentary, but they proved that you can't depend on a certain type of biometric device to be 100 percent foolproof. Of course, determined intruders will have even more-sophisticated ways of breaking the security built into these devices.
For my unscientific tests, I used an IBM ThinkPad notebook with three biometric devices: DigitalPersona's fingerprint reader, the U.are.U 4000, which uses optical technology to take a picture of a fingertip when you press down on its sensor pad; Targus's Defcon Authenticator, a fingerprint reader whose capacitive sensor reads electrical currents across its surface; and Panasonic's iris recognition system, the BM-ET100US Authenticam (also known as the PrivateID), a specialized Webcam that takes a snapshot of your eye.
For the fingerprint reader tests, I used a forensic fingerprint kit produced by the Lynn Peavey Company to make a record of my fingerprint. I also made molds of six of my fingertips using ceramic clay, and I fired the molds in a kiln to harden them. After that, I shaped various soft household materials to create phony fingertips.
Using the fingerprint kit's tape, I lifted my prints from an old AOL CD. I placed the tape on the kit's cards, scanned these prints, and then printed them on a high-resolution photo printer. I attempted to induce the U.are.U 4000 to accept these prints, but it wouldn't cooperate.
Next I tried a fake finger made out of modeling clay. No dice; the sensors on both the U.are.U and the Defcon Authenticator failed to read the plasticine. Then I tried fingertips made out of other common materials: liquid latex from an art store (didn't take the fingerprint shape), polymer casting material (too hard), and Play-Doh (didn't keep its shape). Dessert gelatin formed a nice fingertip but made a sticky, unreadable mess when it melted on the sensors.
The Defcon Authenticator's capacitive sensor, clearly recognizing that the object was a former Ursus gummius, failed to log in my fake print. The on-screen image of a fingertip did register a portion of the print, faintly--but that was as far as I got. I moved on to the U.are.U reader. Bingo! After I enrolled my thumb, the optical reader accepted the gummi bear imitation as my Windows log-in. It didn't get every gummi fingerprint; and the ones it did read, it didn't see clearly every time. But the gummi print worked, over and over again. I also managed to enroll a lime-green gummi as a user, and then used my thumb to log on. Gummi and thumb were interchangeable for log-on purposes, though my thumb wasn't nearly as delicious.
I reported my test results to DigitalPersona, and it acknowledged that the fingerprint reader can be fooled with substances like gummi bears. The company feels, though, that the real-world scenarios for tricking its products in this way are far-fetched.
For the iris test, I tried using a photograph of my eye instead of my real eye. Using a high-resolution camcorder and its optical zoom lens, a colleague snapped eight crisp (and close-up) photos of my eye. But Panasonic's Authenticam was too clever. The camera illuminates a subject's face with a few beams of infrared light as it looks for the iris; a flat sheet of glossy photo paper simply can't reflect that light back at the camera the way a face would. The camera refused to log in my eye photo as a stand-in.
In the end, these devices thwarted nearly all of my attempts to defeat them. But the gummi test shows that you can trick a fingerprint reader with something other than flesh and blood, and a hardcore snoop will pursue more-advanced methods.
--Andrew Brandt
