Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Researchers Fool Biometric Scanners with 3D-Printed Fingerprints

Tests on the fingerprint scanners of Apple, Microsoft, and Samsung devices reveal it's possible to bypass authentication with a cheap 3D printer.

Researchers armed with a $2,000 budget and 13 smartphones, laptops, and other devices found it's possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests yielded around an 80% success rate on average; however, the attack isn't easy.

Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5S. Biometric authentication has been made available on several kinds of devices: laptops, smartphones, padlocks, USB drives. Even though hackers were able to bypass TouchID shortly after its release, fingerprint authentication is generally considered a more secure means of authentication than the password for most people, on most types of devices.

Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body's natural electrical current to read prints. Optical sensors use light to scan the print's image. Ultrasonic sensors, the newest type and commonly used for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor proved the easiest to bypass.

"Reaching this success rate was difficult and tedious work," write researchers Paul Rascagneres and Vitor Ventura in a blog post on their findings. "We found several obstacles and limitations related to scaling and material physical properties." Even so, the success rate indicates they have a "a very high probability" of unlocking test devices before they default into PIN unlocking. Fingerprint authentication is sufficient to protect most people, they concluded, but could put high-value targets at risk if a well-funded or highly motivated attacker decided to pursue them.

They set a $2,000 budget for materials to put this attack into a real-world context, Ventura explains in an interview with Dark Reading. "We didn't want to have a lot of money," he says. "We wanted to have this within budget so we could see if the average Joe could do this or not." If an everyday person could pull this off, they reasoned, a state-sponsored actor could do it.

There were three key goals for the project: to evaluate security improvements in fingerprint scanners, to understand how 3D printing technology affects fingerprint authentication, and to define a threat model for these attacks. The team created three scenarios for capturing fingerprints and creating molds, each of which was done in a different material depending on the context. The first scenario involved direct collection of the fingerprint; the second used sensor data from a fingerprint scanner. In the third, they lifted fingerprints from another object.

Once collected, the researchers created molds of the fingerprints using a 3D printer, which uses a toxic resin that has to be cured with a UV light. They tested several materials in the molds, including silicon and different kinds of glue mixed with conductive powder. To their surprise, the most effective material in their experiment was low-cost fabric glue.

"That was a surprise for us, the fabric glue," says Rascagneres. "It's the perfect material."

"It took us around three months to be able to do this," says Ventura, who notes this bypass would be "possible but very complex" for an everyday person to pull off. The size of the mold proved the greatest and most time-consuming challenge: when resin was cured under the UV light, the mold would shift in size. Because fingerprints are measured in nanometers, a slight change caused the scan to fail. The team made more than 50 molds throughout the project.

Putting Fake Prints to the Test
The researchers did 20 authentication attempts on each of 13 devices with the best fake fingerprint they were able to create. They tested a range of smartphones, laptops, tablets, and other devices, including the iPhone 8, Samsung S10, Macbook Pro 2018, Lenovo Yoga, and AICase Padlock. On some, they were completely unsuccessful: the Samsung A70 would not grant access to the fake fingerprint; neither would any devices running Microsoft's Windows 10.

Researchers note the A70 also had a low authentication rate with legitimate fingerprints. They emphasize that just because they had no success defeating the Windows login doesn't necessarily mean it's safer. Their project was intentionally low-budget, but a larger budget could enable attackers to develop a more effective means to break in.

As a control, they tested the same fingerprint on the MacBook Pro and achieved the same 95% unlocked success rate using the direct collection method, which proved the most effective of all three methods. The Honor 7x, also from Huawei, and Samsung S10 also showed higher success, particularly with the direct collection and fingerprint scanner methods. The researchers shared their findings with all device vendors.

"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," the researchers write in their post. "However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."

Fingerprint authentication security "hasn't evolved much in seven years," says Ventura. Still, it's "good enough" for most people to rely on for security. They suggest manufacturers limit the number of scanning attempts in order to protect the security of each device. Apple, for example, imposes a limit of five attempts before asking the user for a PIN. Samsung did the same but required users to wait 30 seconds after five failed attempts, which can be repeated 10 times. The Honor device was tested more than 70 times and continued to allow scanning.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/9/2020 | 3:53:41 AM

"Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5."

TouchID debuted with the iPhone 5S, not the iPhone 5.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.