Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Researchers Fool Biometric Scanners with 3D-Printed Fingerprints

Tests on the fingerprint scanners of Apple, Microsoft, and Samsung devices reveal it's possible to bypass authentication with a cheap 3D printer.

Researchers armed with a $2,000 budget and 13 smartphones, laptops, and other devices found it's possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests yielded around an 80% success rate on average; however, the attack isn't easy.

Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5S. Biometric authentication has been made available on several kinds of devices: laptops, smartphones, padlocks, USB drives. Even though hackers were able to bypass TouchID shortly after its release, fingerprint authentication is generally considered a more secure means of authentication than the password for most people, on most types of devices.

Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body's natural electrical current to read prints. Optical sensors use light to scan the print's image. Ultrasonic sensors, the newest type and commonly used for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor proved the easiest to bypass.

"Reaching this success rate was difficult and tedious work," write researchers Paul Rascagneres and Vitor Ventura in a blog post on their findings. "We found several obstacles and limitations related to scaling and material physical properties." Even so, the success rate indicates they have a "a very high probability" of unlocking test devices before they default into PIN unlocking. Fingerprint authentication is sufficient to protect most people, they concluded, but could put high-value targets at risk if a well-funded or highly motivated attacker decided to pursue them.

They set a $2,000 budget for materials to put this attack into a real-world context, Ventura explains in an interview with Dark Reading. "We didn't want to have a lot of money," he says. "We wanted to have this within budget so we could see if the average Joe could do this or not." If an everyday person could pull this off, they reasoned, a state-sponsored actor could do it.

There were three key goals for the project: to evaluate security improvements in fingerprint scanners, to understand how 3D printing technology affects fingerprint authentication, and to define a threat model for these attacks. The team created three scenarios for capturing fingerprints and creating molds, each of which was done in a different material depending on the context. The first scenario involved direct collection of the fingerprint; the second used sensor data from a fingerprint scanner. In the third, they lifted fingerprints from another object.

Once collected, the researchers created molds of the fingerprints using a 3D printer, which uses a toxic resin that has to be cured with a UV light. They tested several materials in the molds, including silicon and different kinds of glue mixed with conductive powder. To their surprise, the most effective material in their experiment was low-cost fabric glue.

"That was a surprise for us, the fabric glue," says Rascagneres. "It's the perfect material."

"It took us around three months to be able to do this," says Ventura, who notes this bypass would be "possible but very complex" for an everyday person to pull off. The size of the mold proved the greatest and most time-consuming challenge: when resin was cured under the UV light, the mold would shift in size. Because fingerprints are measured in nanometers, a slight change caused the scan to fail. The team made more than 50 molds throughout the project.

Putting Fake Prints to the Test
The researchers did 20 authentication attempts on each of 13 devices with the best fake fingerprint they were able to create. They tested a range of smartphones, laptops, tablets, and other devices, including the iPhone 8, Samsung S10, Macbook Pro 2018, Lenovo Yoga, and AICase Padlock. On some, they were completely unsuccessful: the Samsung A70 would not grant access to the fake fingerprint; neither would any devices running Microsoft's Windows 10.

Researchers note the A70 also had a low authentication rate with legitimate fingerprints. They emphasize that just because they had no success defeating the Windows login doesn't necessarily mean it's safer. Their project was intentionally low-budget, but a larger budget could enable attackers to develop a more effective means to break in.

As a control, they tested the same fingerprint on the MacBook Pro and achieved the same 95% unlocked success rate using the direct collection method, which proved the most effective of all three methods. The Honor 7x, also from Huawei, and Samsung S10 also showed higher success, particularly with the direct collection and fingerprint scanner methods. The researchers shared their findings with all device vendors.

"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," the researchers write in their post. "However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."

Fingerprint authentication security "hasn't evolved much in seven years," says Ventura. Still, it's "good enough" for most people to rely on for security. They suggest manufacturers limit the number of scanning attempts in order to protect the security of each device. Apple, for example, imposes a limit of five attempts before asking the user for a PIN. Samsung did the same but required users to wait 30 seconds after five failed attempts, which can be repeated 10 times. The Honor device was tested more than 70 times and continued to allow scanning.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/9/2020 | 3:53:41 AM

"Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5."

TouchID debuted with the iPhone 5S, not the iPhone 5.
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-07
This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened r...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. drivers/scsi/scsi_transport_iscsi.c is adversely affected by the ability of an unprivileged user to craft Netlink messages.
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. Certain iSCSI data structures do not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length...
PUBLISHED: 2021-03-07
An issue was discovered in the Linux kernel through 5.11.3. A kernel pointer leak can be used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system...
PUBLISHED: 2021-03-07
An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail Pro through 7.7.9. They allow directory traversal to read files (such as a data/settings/settings.xml file containing admin panel credentials), as demonstrated by dav/server.php/files/personal/%2e%2e when using the caldav_public_...