One of the great things about working in the network and security arena is that it is constantly evolving. There’s always a new story to either educate or amuse, today it’s a story about a brilliant use of gummi bears.
Now thought I was fully versed in the uses of gummi bears. Was I not the instigator of the imfamous Bronx Science last school day gummi bear stick-a-thon, where we managed to cause $15,000 dollars of damage to one of the science labs using nothing but a jumbo bag full of those candies?
Of course not! That was simply a joke. I have no idea how that incident happened! I certainly didn’t discover that a gummi bear would get sticky enough to adhere to ceiling tiles when thrown, I certainly didn’t demonstrate these capabilities to my classmates, and I most certainly didn’t spend the next 30 minutes in wanton gummi-bear destruction, sticking them to ever surface that we could. Like I said, I have no idea how that happened, we had all left when our teacher hadn’t shown up.
Anyway, let’s just say I know about gummi bears and how they can be used to disrupt schools, but this story is a new one on me. It appears that some Australians are using them to aid truancy by spoofing the fingerprint systems in charge of taking. These enterprising young people have discovered that the gelatine has the same capacitance of human skin and have made replica fingerprints. They have their friends go to school and log them in using these replicas fooling the system into thinking that they are present.
Now besides this story being hilarious there are some security implications:
– This shows how easy it is to fool a fingerprint scanner. It’s been known for some time that fingerprint scanners can be spoofed however the sophistication of the attack had been much higher. This shows that a teenager with some gelatine, time, and a hatred of history class can easily fool the system.
Note that this attack requires a willing participant. You couldn’t use this type of attack to grab someone’s fingerprints without their knowledge, I mean who wouldn’t be suspicious of someone saying “hey there, would you mind sticking your right index finger into this pot of jello for me?”
– There’s no substitute for human inspection. Have as many automated systems you want but if someone wants to they can trick the system. Technology is not always the solution to the problem, or at least it’s not a complete solution.
– 2 factor authentication is not a solution when there is collusion. Having a pin as well as a fingerprint would be useless in this system as the student swiping the fake finger would have the pin as well. 2 factor authentication is only useful when the user has a vested interest in keeping it secret