Mythbusters beat "unbreakable" fingerprint door lock
My good friend Jamie Sharp sent me this link today. It's amazing: watch how Adam and Jamie easily defeat a fingerprint lock the manufacturer claims has never been broken. As if to snub the claims, they break it three times! Supposedly it monitors pulse, sweat, temperature, and other attributes. First, Adam obtains an impression of a fingerprint already present on the reader and creates a latex copy that he adheres to his own thumb. Initial attempts fail, but when Adam licks the latex, the door opens. Next, Jamie tries a ballistics gel copy of the fingerprint. Sure enough, the door opens right away. Adam remarks that some cheap computer fingerprint reader was actually more difficult to hack than the "unbreakable" door lock! Finally, Adam tries the simplest of all attacks: a photocopy of the authorized fingerprint. No warmth, no pulse, only a lick -- and again, the door opens.
Biometrics is identity, not authentication. Authentication requires a secret of some kind, like a PIN or password. Anything you leave behind, like the fingerprint Adam lifted from the reader, can never be used as a secret, and thus can't be considered authentication.
Comments
Anonymous
January 01, 2003
PingBack from http://savion.yourstoriessite.com/unbreakablelock.htmlAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Microsoft saugumo ekspertas Steve Riley savo blog’e pateikė nuorodą į video, kuriame gerai žinomi mitų...Anonymous
January 01, 2003
Steve Riley points to Mythbusters' successful attempts to breach biometric security - okay, so it's notAnonymous
September 21, 2006
Huh? What happened to the three factors? Anybody who watches CSI knows biometrics aren't secret, but that doesn't matter, because biometrics derives its strength from uniqueness, not secrecy. And tokens/smart cards get their strength from possession. Are you really suggesting that passwords (the only secrets we use) are the only (and presumably strongest) authentication mechanism out there? As with any of these factors, it is crucial to have a system that effectively implements uniqueness for biometrics (and secrecy for passwords, and possession for tokens). This one didn't, in the same vein as many other authentication mechanisms (hint: know of any techniques for breaking Windows passwords?).Anonymous
September 21, 2006
The comment has been removedAnonymous
September 21, 2006
The comment has been removedAnonymous
September 22, 2006
The comment has been removedAnonymous
September 22, 2006
The comment has been removedAnonymous
September 22, 2006
The comment has been removedAnonymous
September 22, 2006
The comment has been removedAnonymous
September 22, 2006
> and combined with a secret, then it can be very effective.
Back to scientific, proving (just the) identity by using biometrics does not seams to be a good idea by now. When I see the links you provide and hear people talking about how easy it is to fool this technique, than I think it is better to talk about "Biometrics RC1" ;)
> It is a serious question, yes.
How does a system work that can't trust the user who are working on it?
> This is probably not the forum for discussing that :)
> I often wonder if the people "running" these places truly want
> to eliminate terrorism. It certainly provides a ready excuse
> for maintaining or ntroducing totalitarianism.
It has always been exiting to me to hear scientific point of views. So if you like contact me at woller(at)w-mail.org.
> an information system from an attacker,
By the way, your book arrived here two days ago. I saw you and Jesper at "IT's Showtime" and I thought that I have to give it a try :)
> the science behind the security is exactly the same.
One concept to answer thousands of different security threads?Anonymous
September 22, 2006
> One concept to answer thousands of different security threads?
Yes.