Access Management , Biometrics , Identity & Access Management
Researchers: Fake Fingerprints Can Bypass Biometric Sensors
Study Shows Fingerprints Made With 3D Printer Can Fool Sensors, But Process Is DifficultFake fingerprints created with a 3D printer can bypass biometric scanners to unlock smartphones, laptops and other devices under certain circumstances, according to a study from Cisco Talos.
On average, fingerprints created by a 3D printer had about an 80 percent success rate in bypassing biometric scanners at least once, according to the study. The Cisco Talos team tested 3D printer-created fingerprints on devices made by Apple, Microsoft, Samsung and others.
And while the use of biometrics, such as fingerprints, has become common on many devices, the security of these scanners is not uniform, the study concludes.
"Organizations need to be aware that the security of fingerprint authentication is not secure, despite common assumptions," Paul Rascagneres and Vitor Ventura, the two researchers who conducted the report, write in their summary. "This means that depending on the threat profile of each user, it may not be advisable to use it."
And while creating 3D fingerprints to bypass these readers can prove difficult for most, the fact that it can be done shows that almost any security tools has its limits, says Mike Weber, vice president at cybersecurity consulting firm Coalfire.
"For the average user, however, this isn’t something that is a big concern," Weber tells Information Security Media Group. "Knowing the threat is important, however, and if you’re a person who would be pursued by an entity that would have the resources available to pull off this attack, you probably have much greater concerns surrounding your personal security than allowing access to your mobile phone."
3D Prints
In their study, Rascagneres and Ventura acknowledge that bypassing biometric scanners is tough work, requiring access to a 3D printer to create a fingerprint that can bypass the scanner in a process that could require multiple attempts. But a determined adversary with enough resources could use fake fingerprints to bypass the authentication process, they conclude.
"The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person who is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication," the two researchers write.
Bypassing Sensors
Vendors have been building fingerprint readers into devices for nearly a decade. The launch of Apple TouchID in the iPhone 5 in 2013 brought the technology into the mainstream.
Since then, companies have mainly used three types of fingerprint sensors: capacitive, optical and ultrasonic. Optical sensors use light to create the image of a fingerprint, while capacitive sensors use an electrical current. Ultrasonic sensors utilize ultra-sonic waves to create and authenticate the fingerprint.
Under certain circumstances, the researchers were able to bypass all three sensors. The report notes that the ultrasonic sensor, which is the newest technology and is used on devices that have on-screen sensors, is the least reliable.
Rascagneres and Ventura created about 50 molds for fake fingerprints using a 3D printer and experimented with a number of materials to make these molds, including silicon and fabric glue.
The fingerprints were collected in three ways - using a finger to create a mold; taking a bitmap image from a fingerprint reader; and snapping a photo of a fingerprint from glass, according to the study.
The Results
Once the fingerprint molds were ready, Rascagneres and Ventura tested their 3D-printed fingerprints against devices. The results showed that smartphones, including those made by Apple, Samsung and Huawei, were the most vulnerable, with the researchers able to bypass most sensors' security, according to the report.
The study notes, however, that it took several attempts to unlock the smartphones and that the percentage of success for each device was calculated based on 20 attempts with the best fake fingerprint. This approach would not have been possible if the researchers did not already have the PIN for these devices, because manufacturers such as Apple and Samsung have limits on the number of fingerprint attempts.
But the researchers report they had trouble unlocking the Samsung A70 smartphone even with a real fingerprint.
For laptops, the results were more mixed. Rascagneres and Ventura noted that they were unable to unlock laptops that used the Windows Hello framework, which is only available for Windows 10 devices. The two researchers, however, were able to unlock a MacBook Pro.
Rascagneres and Ventura also tested the fingerprint readers of USB devices, which proved difficult to unlock, and a smart lock, which proved easier to unlock, according to the report.
An Apple spokesperson declined to comment on the Cisco Talos report, and representatives for Microsoft and Samsung could not be reached for comment.
Reason for Concern
One of the reasons for conducting this type of experiment is that companies are increasingly relying more biometrics, including fingerprints and iris scans, to authenticate identity.
And biometrics data can be stolen. For example, in August 2019, Suprema, a South Korean company that makes a biometric access control platform, left fingerprint records, facial recognition data and personal information exposed on an unsecure Elasticsearch database (see: Biometric Security Vendor Exposes Fingerprints, Face Data)