News | Published:

Detectors licked by gummy fingers

Tokyo

Keep 'em peeled: fake fingerprints can readily be made using gelatin and a simple mould. Credit: T. MATSUMOTO

Fingerprint-identification equipment can readily be fooled by a piece of gelatin, according to a cursory study undertaken by a Japanese mathematician.

Tsutomu Matsumoto of Yokohama National University says that his findings could undermine the extravagant claims being made for biometry, which uses inherent human traits such as fingerprints to automatically identify individuals.

In Matsumoto's informal study, he made plastic moulds of the subject's fingers, poured gelatin into the moulds, and let the thin 'gummy fingers' harden. Hundreds of trials by 5 people on 11 devices showed that a person wearing the gummy finger could pass for the subject nearly every time, he says.

Even more alarmingly, Matsumoto was able to create an effective fake fingerprint from a piece of glass that the subject had touched. He used a digital camera to photograph an enhanced copy of the mark, etched it on a printed circuit board, and used this to produce a fake finger made of gelatin.

“What's really scary is that anyone could do this,” says Matsumoto. “The technology is all on the Internet and can be done cheaply at home.”

He emphasizes that he is only dabbling in this research “for fun” while he pursues his real work on the application of cryptography and mathematics to information security.

Spokespeople at Sony and Fujitsu, which make automated fingerprint readers, declined to deny that their devices could be deceived by Matsumoto's gummy finger. But Sony and NEC, a third manufacturer, say that they are currently developing better systems. The new NEC reader, for example, will use light from the side that diffuses through the subject's finger, instead of just reflecting off the fingerprint.

Matsumoto is in no doubt that more sophisticated fingerprint-readers could pass his existing test — but he questions the philosophy of relying on biometry for security. “A password can be changed if it gets leaked,” says Matsumoto, “but once someone has a copy of your fingerprint or your DNA, they will always be able to use it.”

Rights and permissions

Reprints and Permissions

About this article

Further reading

Comments

By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.