Browse Definitions :
Definition

gummy bear hack

A gummy bear hack is an attempt to fool a biometric fingerprint scanner by using a gelatin-based candy to hold a fingerprint.

Low-end optical fingerprint scanners can often be fooled with a simple image of a fingerprint, while more sophisticated devices check for characteristics such as electrical current and blood flow. As it turns out, however, the capacitance of gelatin is similar to that of a human finger. Furthermore, if a gelatin-based fingerprint is attached to a living finger, the method could fool those fingerscanners as well because the device would detect those characteristics through the clear gelatin.

The idea behind the gummy bear hack originated with 2002 research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. Reporting on the experiment in the Crypto-Gram, security expert Bruce Schneier commented that gelatin is “the same substance gummi bears are made of.”

When some Australian schools began using fingerprint scanners as a “sign-in” method in 2010, there were media reports suggesting that students could fool the system using gummy bears. The suggested method was simple: impress your fingerprint into a gummy bear and then get an accomplice to put the gummy bear over his own finger to register your attendance. Although there have been many reports that gummy bears could be used in this manner, there are no reports of anyone actually doing so.

A group of students from Washington & Jefferson College’s Information Technology Leadership program attempted to test the theory. The students made fingerprint casts from a variety of substances, including not only gummy bears but also modeling clay, Play-Doh and Silly Putty and tested the casts against Microsoft's Fingerprint Reader and an APC Biometric Security device. Some of the substances held fingerprints better than the others but the gummy bears were not successful. From the class’s report:

None of us was able to get a gummy bear to hold a fingerprint, either on the flat back surface, or by tearing the gummy bear open and trying to create an impression on the softer interior. It was theorized that perhaps a superior quality of gummy bear, instead of the generic brand purchased, or a gummy candy with a large surface area would work better. But for the remainder of the experiment the gummy bears became simply a form of sustenance.

 

Learn more:

The original research report is “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems.”

Here’s the report from the students at Washington and Jefferson College.

ZDNet Australia reported on a "Sweet bypass for student fingerprint scanner."

See how gelatin can be used to successfully defeat a fingerprint scanner in this Mythbusters video.

This was last updated in December 2010
SearchNetworking
  • virtual network functions (VNFs)

    Virtual network functions (VNFs) are virtualized tasks formerly carried out by proprietary, dedicated hardware.

  • network functions virtualization (NFV)

    Network functions virtualization (NFV) is a network architecture model designed to virtualize network services that have ...

  • overlay network

    An overlay network is a virtual or logical network that is created on top of an existing physical network.

SearchSecurity
  • encryption

    Encryption is the method by which information is converted into secret code that hides the information's true meaning.

  • X.509 certificate

    An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) ...

  • directory traversal

    Directory traversal is a type of HTTP exploit in which a hacker uses the software on a web server to access data in a directory ...

SearchCIO
  • resource allocation

    Resource allocation is the process of assigning and managing assets in a manner that supports an organization's strategic ...

  • chief digital officer (CDO)

    A chief digital officer (CDO) is charged with helping an enterprise use digital information and advanced technologies to create ...

  • security audit

    A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms ...

SearchHRSoftware
SearchCustomerExperience
  • implementation

    Implementation is the execution or practice of a plan, a method or any design, idea, model, specification, standard or policy for...

  • first call resolution (FCR)

    First call resolution (FCR) is when customer service agents properly address a customer's needs the first time they call.

  • customer intelligence (CI)

    Customer intelligence (CI) is the process of collecting and analyzing detailed customer data from internal and external sources ...

Close