Browse Definitions :
Definition

gummy bear hack

A gummy bear hack is an attempt to fool a biometric fingerprint scanner by using a gelatin-based candy to hold a fingerprint.

Low-end optical fingerprint scanners can often be fooled with a simple image of a fingerprint, while more sophisticated devices check for characteristics such as electrical current and blood flow. As it turns out, however, the capacitance of gelatin is similar to that of a human finger. Furthermore, if a gelatin-based fingerprint is attached to a living finger, the method could fool those fingerscanners as well because the device would detect those characteristics through the clear gelatin.

The idea behind the gummy bear hack originated with 2002 research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. Reporting on the experiment in the Crypto-Gram, security expert Bruce Schneier commented that gelatin is “the same substance gummi bears are made of.”

When some Australian schools began using fingerprint scanners as a “sign-in” method in 2010, there were media reports suggesting that students could fool the system using gummy bears. The suggested method was simple: impress your fingerprint into a gummy bear and then get an accomplice to put the gummy bear over his own finger to register your attendance. Although there have been many reports that gummy bears could be used in this manner, there are no reports of anyone actually doing so.

A group of students from Washington & Jefferson College’s Information Technology Leadership program attempted to test the theory. The students made fingerprint casts from a variety of substances, including not only gummy bears but also modeling clay, Play-Doh and Silly Putty and tested the casts against Microsoft's Fingerprint Reader and an APC Biometric Security device. Some of the substances held fingerprints better than the others but the gummy bears were not successful. From the class’s report:

None of us was able to get a gummy bear to hold a fingerprint, either on the flat back surface, or by tearing the gummy bear open and trying to create an impression on the softer interior. It was theorized that perhaps a superior quality of gummy bear, instead of the generic brand purchased, or a gummy candy with a large surface area would work better. But for the remainder of the experiment the gummy bears became simply a form of sustenance.

 

Learn more:

The original research report is “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems.”

Here’s the report from the students at Washington and Jefferson College.

ZDNet Australia reported on a "Sweet bypass for student fingerprint scanner."

See how gelatin can be used to successfully defeat a fingerprint scanner in this Mythbusters video.

This was last updated in December 2010
SearchCompliance
  • ISO 31000 Risk Management

    The ISO 31000 Risk Management framework is an international standard that provides businesses with guidelines and principles for ...

  • pure risk

    Pure risk refers to risks that are beyond human control and result in a loss or no loss with no possibility of financial gain.

  • risk reporting

    Risk reporting is a method of identifying risks tied to or potentially impacting an organization's business processes.

SearchSecurity
  • Pretty Good Privacy (PGP)

    Pretty Good Privacy or PGP was a popular program used to encrypt and decrypt email over the internet, as well as authenticate ...

  • email security

    Email security is the process of ensuring the availability, integrity and authenticity of email communications by protecting ...

  • cyberterrorism

    Cyberterrorism is often defined as any premeditated, politically motivated attack against information systems, programs and data ...

SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • fault-tolerant

    Fault-tolerant technology is a capability of a computer system, electronic system or network to deliver uninterrupted service, ...

  • synchronous replication

    Synchronous replication is the process of copying data over a storage area network, local area network or wide area network so ...

SearchStorage
Close