Sweet bypass for student finger scanner

Sweet bypass for student finger scanner

Summary: A NSW high school has installed "secure" fingerprint scanners for roll call, which savvy kids may be able to circumvent with sweets from their lunch box.

TOPICS: Security, Health

A NSW high school has installed "secure" fingerprint scanners for roll call, which savvy kids may be able to circumvent with sweets from their lunch box.

Gummi bears

(Munich 154 image by Betsy Weber, CC2.0)

The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance.

Henry Kendall High School, on the NSW Central Coast, has pitched the system to parents as a convenient way for students to clock in and out of school during their irregular hours.

Principal Bob Cox told the ABC that the system was preferred over swipe cards, which students can abuse by signing-in for each other.

But a litany of fingerprint scanners have fallen victim to bypass methods, many of which are explained publicly in detail on the internet. The hacks could potentially be used by students to make replicas of their own fingerprints, or lift those of others from imprints left on the reader.

Japanese cryptographer Tsutomu Matsumoto used gelatin, the ingredient in Gummi Bears, to forge a replica finger that fooled 11 fingerprint scanners during tests in 2002. Gelatine has virtually the same capacitance as a finger's skin, meaning it can fool scanners designed to detect electrical charges within the human body.

"Simply form the clear gelatine finger over your own [which] lets you hide it as you press your own finger onto the sensor. After [the reader] lets you in, eat the evidence," BT chief technology officer Bruce Schneier said of the so-called Gummi Bear attack.

Chris Gatford, director of penetration testing firm HackLabs, has foiled biometric fingerprint scanners before.

"Whether it can be hacked depends on how clever the device is. If it is a reasonable quality, it will look for blood flow and heat, but entry-level models do not."

The NSW Department of Education said in a statement that the software does not store digital copies of fingerprints, but creates templates of unique characteristics.

This should prevent stored fingerprint images from being stolen, but would not prevent students bypassing machines.

The department said the decision to adopt the technology is up to the school, and participation in the scheme is optional.

Fingerprints can be lifted from a variety of surfaces, and then scanned, printed and applied to receptacle mediums which are used to trick scanners.

Finnish researcher Ton van der Putte hacked a scanner used for checkout payments in a chain of stores based in the Netherlands in 2008, while another Finnish researcher Mikko Kiviarju lifted prints (PDF) from Microsoft's now defunct Fingerprint Reader.

Topics: Security, Health

Darren Pauli

About Darren Pauli

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ton van der Putte appears to be a dutchman instead. And if you put the gelatin around your fingers an expensive scanner will still "see" enough veins and blood flow to accept the fake as the genuine article.

    But what nobody in the industry dares say, is that this shows that biometrics are unsuitable for casual identification. To match you to fingerprints left at the scene of a crime, fine. But to identify you so you can access your bank account or anything else of importance to you, no.

    The problem with the current state of identification is that in order to identify yourself you must surrender your entire identity, and that is enough information to forge your identity, too. Biometrics don't change that. The property that changes is that now identity can be more easily forged because you leave your fingerprints literally everywhere, unless you're willing to always, every day of the year, wear gloves when outside your own home, and at the same time it becomes nigh-on impossible to assume a different "identity" should your old one get stolen.

    So where your bank card or your credit card might get stolen, and then you cancel it as fast as you can, if that happens to your fingerprints you can't just cancel your fingerprints. Not unless you're willing to give up your access to your own bank account forever. Now isn't that a wonderful choice this use of technology forces upon you?
  • A response to this article may be read at:

    If you're interested in a contrary point of view, please consider reading.
    SecurLinx Blog
  • Went to Disneyland and the rest of the theme parks in Orlando this summer - my brother in law had no trouble at all pretending to be my wife, using her ticket, and placing his finger on the fingerprint security glass. When using them legitimately though they failed often, and staff had to let us in anyway. In case any of the folks are Disney are upset we never had more people than tickets - he was instead of, not as well as my wife !
  • Seriously, how many kids would a) go to that much effort, and b) rely on it actually working.
  • Having read that SecurLinx blog post (and why couldn't you have posted it here, hm?) I see two separate issues: First, the use of biometrics, regardless of where. To that my earlier post up above. That alone ought to be enough, but in case it isn't: Second, you raise the social environment and wonder about the cost.

    Well, I say, if you have to resort to (alternatively, hide behind) technology to keep track of the kids in your social environment, you're not doing terribly well with providing that social environment. I expect (non-substitute) teachers to know their pupils well enough that once the year is underway they needn't do a long and tedious roll call. If you can't manage that the school is probably too big and needs sizing down. If you have a lot of substitute teachers because, say, the environment is too stressful so you have too many teachers calling in sick, you're again not usefully running your school.

    Not because of roll call efficiency, but because teaching effectively requires that the teacher knows his pupils, knows how to get through to them and make the lessons stick. Everybody is different and everybody learns differently. You can't fix that with a fingerprint reader. Thus any ROI and TCO questions of that fingerprint reading system, which you vaguely raised but didn't address, are pretty much irrelevant.

    Yes, it's oh-so-convenient and oh-so-cheap technology. But it's not very good tech and even if it was it's not very appropriate if you care about running a school. It's all the rage nowadays, but that doesn't automatically make it a good idea. And in fact I say it's not a good idea.

    Experience has shown us already that money is quite irrelevant, as throwing a couple billion at a (US) state's teaching apparatus mainly caused swimming pools and admin buildings and saw the kids' scores _drop_, whereas the lone contrary guy managed with lots of creative spit and baling wire to pay his teachers more on a smaller-than-usual budget and have the kids get better results. That is what better motivated teachers and kids will make happen.

    It would be a much better idea to keep classes small and ensure kids of roughly the same level and same learning capability are in the same classes, focus on teaching each kid as much as he or she can stand and maybe a little more, fast-track the smartest, remedy the slow'uns, that sort of thing, than to try and find cost savings in high technology that, should it manage to work properly, conveniently makes trackable entities out of the kids. We ought to be trying to teach them to be valuable members of society, not nicely trained compliant sheep.
  • Hi SecurLinx Blog, I read your article and thought you raised some important points. Robust debate is always welcome, so I appreciate your time. I placed quotations around "secure" to indicate the flaws of the term, especially when applied to biometrics.
    I also referred to those kids who could bypass the system as "savvy" because they would need to be skilled to do so, irrespective of whether doing so is right or wrong.
    Thanks again for the comments!
  • @darrenpauli,

    I have spoken to a number of people in the Australian who perform penetration testing and they all confirmed that they have never undertaken physical attacks simply because IRL this would be noticed quickly but people entering and exiting the entry point.

    Furthermore, if Chris Gatford had foiled biometric fingerprint device(s) in past then he would publish the make and model like the researchers quoted in your article.