Make a fake (not duplicate) fingerprint for gym's biometric access control

1,697 views
Skip to first unread message

JC

unread,
Sep 6, 2021, 10:43:01 AM9/6/21
to London Hackspace
My residential gym uses fingerprint access control. Is there any way to create a fingerprint so I can use that as a key rather than giving my biometric info to a gym...? I have talked to the manager he wanted to help me but it's technically not possible, because there's no alternative way to open the door (the gym employees give their fingerprints too)

The gym is included in the service charge I pay every year even I don't use it. I want to see if I can hack the system, instead of paying extra money to use another gym.

Any ideas? Thanks in advance.


henry...@ntlworld.com

unread,
Sep 6, 2021, 12:23:06 PM9/6/21
to London Hackspace
I would first try an ink fingerprint on a piece of paper to see if that works. It would, of course, have to be a real (human?) fingerprint to have any chance of success. But I don't see why you're worried about giving your fingerprint to the gym. The only other organisation that uses fingerprints is the police and they won't give information to the gym, EVER. 

Colin Fowler

unread,
Sep 6, 2021, 12:33:25 PM9/6/21
to london-h...@googlegroups.com
Actually, the hard part is not being a fingerprint. People have found that fingerprint scanners can record other parts of the body in their database which can then be used to validate at the scanner.

Your main issue is if it's an optical scanner or not. If it's an old optical scanner you can probably record any convincing looking pattern on it and print it to a piece of card. If it's a newer capacitive or thermal scanner, you're going to have a lot more difficulty.

Colin


--
You received this message because you are subscribed to the Google Groups "London Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-sp...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/london-hack-space/c801615a-5d37-4b99-9415-dfa161c30519n%40googlegroups.com.

Matthew

unread,
Sep 6, 2021, 12:35:37 PM9/6/21
to London Hackspace
Have you confirmed they store your fingerprint rather than just a non-reversible hash?

Rowan Hoggarth

unread,
Sep 6, 2021, 12:44:18 PM9/6/21
to london-h...@googlegroups.com
A technique that can work for frustrated-optical and for capacitance based readers is gelatine/rubber casting into a mould. A suitable mold can be made from copper clad PCB material etched appropriately. To generate a fingerprint image I would suggest photoshopping your own or at least using it as a guide to get the scale correct. Once cast the fingerprint can be mounted on your finger with glue or onto a rubber glove finger. Some readers check for pulse too by using pulse-oximetry (infrared colour change with each heartbeat) this can require a thin molding to succeed and allow light to reach your real skin.

All that said, most off the shelf fingerprint reader modules internally process the image into a form of hash by locating 'interest points' and then vectors that relate them. This lessens the load on an embedded processor for the security application. The data stored is typically not recoverable into a fingerprint, nor is it stunningly secure, but it is better than a fixed code, and doesn't require a physical token to carry...

R

deanforbes

unread,
Sep 6, 2021, 12:49:18 PM9/6/21
to London Hackspace
to me it sounds like a ruse to steal gym access - as interesting as the technical detail's are naughty naughty 
I would be very surprised if the data is not stored as a hashed key of some sort 

JC

unread,
Sep 6, 2021, 6:14:47 PM9/6/21
to London Hackspace
Thanks guys!
I understand it's encrypted and hash is a one-way function. 
Maybe I'm paranoid but biometric info is not a password that you can change later so I just don't feel comfortable giving them my fingerprint. This feeling is probably irrational (interestingly my previous job was data related) but I also don't use face ID/touch ID or voice assistant just to feel safer?
I have to say this gym is way too smart - it also requires an app to use all the machines. You have to scan a QR code to start a bike or treadmill. They know exactly who is using anything at any time. I hope this is not the future of gyms.

Thank you all for being helpful - I will find out what scanner they use and I will probably print or laser engrave something see if I can fool the system.

p.s. this made me famous because now every PT/gym employee knows me and they're just kind enough to open the door for me every time...

cepm...@yahoo.co.uk

unread,
Sep 6, 2021, 7:46:00 PM9/6/21
to London Hackspace
Could you use a knuckle instead?
OK, it's still permanently identifiable as yours but really unlikely to cause problems further down the line.


Phil

Ioannes 8:32
 
>>> <https://groups.google.com/d/msgid/london-hack-space/c801615a-5d37-4b99-9415-dfa161c30519n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups "London Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-sp...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/london-hack-space/27a36f6b-bf58-4a4c-9805-46e97fc4ae67n%40googlegroups.com.

henry...@ntlworld.com

unread,
Sep 6, 2021, 8:12:15 PM9/6/21
to London Hackspace
Or use a more personal part that's unlikely to be identified as being yours (unless you're a flasher)? :-)

Scott Young

unread,
Sep 6, 2021, 8:20:31 PM9/6/21
to london-h...@googlegroups.com
This article is fairly old now by tech standards, but it might offer some help:

Reply all
Reply to author
Forward
0 new messages