|Home > Putty Science > Thinking Putty defeats Fingerprint Scanners!|
Background On My Experiment
Biometric authentication seems to be, on the face of it, a groovy idea. Do away with hard-to-remember passwords and easy-to-lose keys and cards; authenticate your identity with your voice, or your face, or your fingerprint. What could possibly be wrong with that?
Well, lots of things, actually.
High on the list is the fact that if biometric authentication is compromised - if someone finds a way to fake your voice or face or finger - you're up a brown and smelly creek without any way to propel your barbed wire canoe.
If someone rips off a password of yours, you can change it. If someone steals your credit card, you can cancel it. Lost a key? Change your locks.
But if someone figures out a way to duplicate your fingerprint or voiceprint or retinal or iris ID, there's nothing you can do. Well, OK, you can switch to a different finger or a different eye, but nature puts certain hard limits on how many times you can do that. Once you're out of organs, you're out of luck.
The limited number of biometrics each person carries around with them also makes it impossible to have a large number of different biometric keys.
All this is only a problem, of course, if biometrics can be duplicated by normal human beings. The marketing departments at biometric ID companies have, historically, insisted that they can't. Sure, maybe the NSA can fake out a finger scanner, but some scungy little credit card fraudster isn't going to be able to manage it.
That's the story, anyway...
I checked out a fingerprint scanner scanner, which sells for about $100.
Faking It Out
Tsutomu Matsumoto of Yokohama National University in Japan got the ball rolling in the cruelty-to-finger-scanners area with his study on the foolability of different scanners when presented with "fingers" made from silicone (the base substance in Thinking Putty) and gelatine (like Jell-O).
Matsumoto, in brief, fooled various sensors with fake fingers. Gelatine fingers worked better, because gelatine behaves, electrically, quite like real flesh; sensors that care about conductivity, which capacitive sensors do, aren't terribly likely to be faked out by a putty finger.
This scanner is optical and probably wouldn't know the difference, but I nonetheless decided to see if I could fool it with a gelatine finger.
The easiest way to make a fake fingertip is by taking a mold of a real finger, mixing up some gelatine solution, and then pouring it into the mold. Of course in real life this would require you to say, "Excuse me sir but I'd like to steal your fingerprint. Yes, just put your finger there and press!"
But, There Is Another Way...
Tsutomu Matsumoto demonstrated that flat prints can be lifted from items that have been handled but it requires skills in etching circuit boards and dealing with various volatile compounds.
Instead, perhaps we can take a fingerprint from someone's desk...from the Thinking Putty they've left behind when they went off to lunch.
For ordinary gelatine, you need only about one tablespoon of gelatine to every two cups of water - about a 7 to 200 weight-to-weight ratio. Twice that, if you like your gelatine on the rubbery side.
For a fake fingertip, however, you need jelly stiff like gummi candy. I used a one-to-one mix of water and gelatine, weight for weight.
I'd put my putty in the fridge, and I pressed my thumb into it just before pouring the jelly in. Thinking Putty always creeps towards a puddle-like state unless you've actually frozen it, so, for the experiment, I wanted the minimum possible time between the impression and the molding.
I poured on the gelatine solution, and into the freezer it went for a few minutes to set. The fake fingertip peeled off the putty very easily, as you'd expect - clean, cold Thinking Putty doesn't stick very well to anything but itself. The gelatine was full of bubbles from my stirring, but the jelly thumb nonetheless had a pretty good complement of print-ridges on it...
Ugly and bubble filled the fake fingerprint was, but the scanner loved it. It thought the fake finger was a real one more than 50% of the time. And since you can attempt recognition about once a second, that means it'd be trivially easy to gain access with a scanner like this, even with people watching.
Trim the gelatine so it fits over the end of your real finger, and some very rudimentary prestidigitation will keep your fakery from the attention of onlookers.
I also found it was possible to enroll the gelatine thumb as a new finger. It took me four attempts to do it, and its recognition rate wasn't any better than when I was trying to match it to my real finger. But that's still quite good enough to be useable in an, um, covert situation.
There are lots of other methods to fool fingerprint scanners. Some of them even work on expensive "commercial" units. Other tricks and techniques that don't involve Thinking Putty can be used to fool retina, iris, facial, and voiceprint scanners.
All this doesn't mean that biometric systems are A Bad Thing. Only that important systems shouldn't depend solely on biometrics for security.
Anyway, thanks for reading. I hope you've enjoyed the article!
This article was adapted from Dan's U.are.U Personal review
- Crazy AaronSend us your Thinking Putty