Browse Definitions :
Definition

gummy bear hack

A gummy bear hack is an attempt to fool a biometric fingerprint scanner by using a gelatin-based candy to hold a fingerprint.

Low-end optical fingerprint scanners can often be fooled with a simple image of a fingerprint, while more sophisticated devices check for characteristics such as electrical current and blood flow. As it turns out, however, the capacitance of gelatin is similar to that of a human finger. Furthermore, if a gelatin-based fingerprint is attached to a living finger, the method could fool those fingerscanners as well because the device would detect those characteristics through the clear gelatin.

The idea behind the gummy bear hack originated with 2002 research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. Reporting on the experiment in the Crypto-Gram, security expert Bruce Schneier commented that gelatin is “the same substance gummi bears are made of.”

When some Australian schools began using fingerprint scanners as a “sign-in” method in 2010, there were media reports suggesting that students could fool the system using gummy bears. The suggested method was simple: impress your fingerprint into a gummy bear and then get an accomplice to put the gummy bear over his own finger to register your attendance. Although there have been many reports that gummy bears could be used in this manner, there are no reports of anyone actually doing so.

A group of students from Washington & Jefferson College’s Information Technology Leadership program attempted to test the theory. The students made fingerprint casts from a variety of substances, including not only gummy bears but also modeling clay, Play-Doh and Silly Putty and tested the casts against Microsoft's Fingerprint Reader and an APC Biometric Security device. Some of the substances held fingerprints better than the others but the gummy bears were not successful. From the class’s report:

None of us was able to get a gummy bear to hold a fingerprint, either on the flat back surface, or by tearing the gummy bear open and trying to create an impression on the softer interior. It was theorized that perhaps a superior quality of gummy bear, instead of the generic brand purchased, or a gummy candy with a large surface area would work better. But for the remainder of the experiment the gummy bears became simply a form of sustenance.

 

Learn more:

The original research report is “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems.”

Here’s the report from the students at Washington and Jefferson College.

ZDNet Australia reported on a "Sweet bypass for student fingerprint scanner."

See how gelatin can be used to successfully defeat a fingerprint scanner in this Mythbusters video.

This was last updated in December 2010

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Big Bold Bears will work. They are the size of a finger and will hold the print. Slice them lengthways to make thinner gelatin so the scanners can detect current and blood flow through the gummy bear.
Cancel
Still, there's something ironically amusing about the idea of a high-tech security system possibly being undermined by a common candy item. I suppose Swedish fish would be too hard. <*))swedish))-{
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

SearchCompliance

  • California Consumer Privacy Act (CCPA)

    The California Consumer Privacy Act (CCPA) is legislation in the state of California that supports an individual's right to ...

  • compliance audit

    A compliance audit is a comprehensive review of an organization's adherence to regulatory guidelines.

  • regulatory compliance

    Regulatory compliance is an organization's adherence to laws, regulations, guidelines and specifications relevant to its business...

SearchSecurity

  • spear phishing

    Spear phishing is an email spoofing attack that targets a specific organization or individual, seeking unauthorized access to ...

  • bridge

    A bridge is a class of network device that’s designed to connect networks at OSI Level 2, which is the data link layer of a ...

  • browser isolation

    Browser isolation is a cybersecurity model for web browsing that can be used to physically separate an internet user’s browsing ...

SearchHealthIT

SearchDisasterRecovery

  • disaster recovery team

    A disaster recovery team is a group of individuals focused on planning, implementing, maintaining, auditing and testing an ...

  • cloud insurance

    Cloud insurance is any type of financial or data protection obtained by a cloud service provider. 

  • business continuity software

    Business continuity software is an application or suite designed to make business continuity planning/business continuity ...

SearchStorage

  • business impact analysis (BIA)

    Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to ...

  • RAID (redundant array of independent disks)

    RAID (redundant array of independent disks) is a way of storing the same data in different places on multiple hard disks to ...

  • dedicated cloud

    A dedicated cloud is a single-tenant cloud infrastructure, which essentially acts as an isolated, single-tenant public cloud.

Close