Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/8/2020
05:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Researchers Fool Biometric Scanners with 3D-Printed Fingerprints

Tests on the fingerprint scanners of Apple, Microsoft, and Samsung devices reveal it's possible to bypass authentication with a cheap 3D printer.

Researchers armed with a $2,000 budget and 13 smartphones, laptops, and other devices found it's possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests yielded around an 80% success rate on average; however, the attack isn't easy.

Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5S. Biometric authentication has been made available on several kinds of devices: laptops, smartphones, padlocks, USB drives. Even though hackers were able to bypass TouchID shortly after its release, fingerprint authentication is generally considered a more secure means of authentication than the password for most people, on most types of devices.

Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body's natural electrical current to read prints. Optical sensors use light to scan the print's image. Ultrasonic sensors, the newest type and commonly used for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor proved the easiest to bypass.

"Reaching this success rate was difficult and tedious work," write researchers Paul Rascagneres and Vitor Ventura in a blog post on their findings. "We found several obstacles and limitations related to scaling and material physical properties." Even so, the success rate indicates they have a "a very high probability" of unlocking test devices before they default into PIN unlocking. Fingerprint authentication is sufficient to protect most people, they concluded, but could put high-value targets at risk if a well-funded or highly motivated attacker decided to pursue them.

They set a $2,000 budget for materials to put this attack into a real-world context, Ventura explains in an interview with Dark Reading. "We didn't want to have a lot of money," he says. "We wanted to have this within budget so we could see if the average Joe could do this or not." If an everyday person could pull this off, they reasoned, a state-sponsored actor could do it.

There were three key goals for the project: to evaluate security improvements in fingerprint scanners, to understand how 3D printing technology affects fingerprint authentication, and to define a threat model for these attacks. The team created three scenarios for capturing fingerprints and creating molds, each of which was done in a different material depending on the context. The first scenario involved direct collection of the fingerprint; the second used sensor data from a fingerprint scanner. In the third, they lifted fingerprints from another object.

Once collected, the researchers created molds of the fingerprints using a 3D printer, which uses a toxic resin that has to be cured with a UV light. They tested several materials in the molds, including silicon and different kinds of glue mixed with conductive powder. To their surprise, the most effective material in their experiment was low-cost fabric glue.

"That was a surprise for us, the fabric glue," says Rascagneres. "It's the perfect material."

"It took us around three months to be able to do this," says Ventura, who notes this bypass would be "possible but very complex" for an everyday person to pull off. The size of the mold proved the greatest and most time-consuming challenge: when resin was cured under the UV light, the mold would shift in size. Because fingerprints are measured in nanometers, a slight change caused the scan to fail. The team made more than 50 molds throughout the project.

Putting Fake Prints to the Test
The researchers did 20 authentication attempts on each of 13 devices with the best fake fingerprint they were able to create. They tested a range of smartphones, laptops, tablets, and other devices, including the iPhone 8, Samsung S10, Macbook Pro 2018, Lenovo Yoga, and AICase Padlock. On some, they were completely unsuccessful: the Samsung A70 would not grant access to the fake fingerprint; neither would any devices running Microsoft's Windows 10.

Researchers note the A70 also had a low authentication rate with legitimate fingerprints. They emphasize that just because they had no success defeating the Windows login doesn't necessarily mean it's safer. Their project was intentionally low-budget, but a larger budget could enable attackers to develop a more effective means to break in.

As a control, they tested the same fingerprint on the MacBook Pro and achieved the same 95% unlocked success rate using the direct collection method, which proved the most effective of all three methods. The Honor 7x, also from Huawei, and Samsung S10 also showed higher success, particularly with the direct collection and fingerprint scanner methods. The researchers shared their findings with all device vendors.

"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," the researchers write in their post. "However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."

Fingerprint authentication security "hasn't evolved much in seven years," says Ventura. Still, it's "good enough" for most people to rely on for security. They suggest manufacturers limit the number of scanning attempts in order to protect the security of each device. Apple, for example, imposes a limit of five attempts before asking the user for a PIN. Samsung did the same but required users to wait 30 seconds after five failed attempts, which can be repeated 10 times. The Honor device was tested more than 70 times and continued to allow scanning.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Author
4/14/2020 | 2:52:46 PM
Re:
Thanks! My mistake, and you are right - I'll make an update. 
comment2020
50%
50%
comment2020,
User Rank: Apprentice
4/9/2020 | 3:53:41 AM

"Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5."


TouchID debuted with the iPhone 5S, not the iPhone 5.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4035
PUBLISHED: 2020-06-03
In WatermelonDB (NPM package "@nozbe/watermelondb") before versions 0.15.1 and 0.16.2, a maliciously crafted record ID can exploit a SQL Injection vulnerability in iOS adapter implementation and cause the app to delete all or selected records from the database, generally causing the app to...
CVE-2020-13783
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Cleartext Storage of Sensitive Information.
CVE-2020-13784
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have a predictable seed in a Pseudo-Random Number Generator.
CVE-2020-13785
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices have Inadequate Encryption Strength.
CVE-2020-13786
PUBLISHED: 2020-06-03
D-Link DIR-865L Ax 1.20B01 Beta devices allow CSRF.