X
Tech

Sweet bypass for student finger scanner

A NSW high school has installed "secure" fingerprint scanners for roll call, which savvy kids may be able to circumvent with sweets from their lunch box.
Written by Darren Pauli, Contributor

A NSW high school has installed "secure" fingerprint scanners for roll call, which savvy kids may be able to circumvent with sweets from their lunch box.

Gummi bears

(Munich 154 image by Betsy Weber, CC2.0)

The system replaces the school's traditional sign-in system with biometric readers that require senior students to have their fingerprints read to verify attendance.

Henry Kendall High School, on the NSW Central Coast, has pitched the system to parents as a convenient way for students to clock in and out of school during their irregular hours.

Principal Bob Cox told the ABC that the system was preferred over swipe cards, which students can abuse by signing-in for each other.

But a litany of fingerprint scanners have fallen victim to bypass methods, many of which are explained publicly in detail on the internet. The hacks could potentially be used by students to make replicas of their own fingerprints, or lift those of others from imprints left on the reader.

Japanese cryptographer Tsutomu Matsumoto used gelatin, the ingredient in Gummi Bears, to forge a replica finger that fooled 11 fingerprint scanners during tests in 2002. Gelatine has virtually the same capacitance as a finger's skin, meaning it can fool scanners designed to detect electrical charges within the human body.

"Simply form the clear gelatine finger over your own [which] lets you hide it as you press your own finger onto the sensor. After [the reader] lets you in, eat the evidence," BT chief technology officer Bruce Schneier said of the so-called Gummi Bear attack.

Chris Gatford, director of penetration testing firm HackLabs, has foiled biometric fingerprint scanners before.

"Whether it can be hacked depends on how clever the device is. If it is a reasonable quality, it will look for blood flow and heat, but entry-level models do not."

The NSW Department of Education said in a statement that the software does not store digital copies of fingerprints, but creates templates of unique characteristics.

This should prevent stored fingerprint images from being stolen, but would not prevent students bypassing machines.

The department said the decision to adopt the technology is up to the school, and participation in the scheme is optional.

Fingerprints can be lifted from a variety of surfaces, and then scanned, printed and applied to receptacle mediums which are used to trick scanners.

Finnish researcher Ton van der Putte hacked a scanner used for checkout payments in a chain of stores based in the Netherlands in 2008, while another Finnish researcher Mikko Kiviarju lifted prints (PDF) from Microsoft's now defunct Fingerprint Reader.

Editorial standards