Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:20 PM
Connect Directly

Researchers Fool Biometric Scanners with 3D-Printed Fingerprints

Tests on the fingerprint scanners of Apple, Microsoft, and Samsung devices reveal it's possible to bypass authentication with a cheap 3D printer.

Researchers armed with a $2,000 budget and 13 smartphones, laptops, and other devices found it's possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests yielded around an 80% success rate on average; however, the attack isn't easy.

Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5S. Biometric authentication has been made available on several kinds of devices: laptops, smartphones, padlocks, USB drives. Even though hackers were able to bypass TouchID shortly after its release, fingerprint authentication is generally considered a more secure means of authentication than the password for most people, on most types of devices.

Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body's natural electrical current to read prints. Optical sensors use light to scan the print's image. Ultrasonic sensors, the newest type and commonly used for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor proved the easiest to bypass.

"Reaching this success rate was difficult and tedious work," write researchers Paul Rascagneres and Vitor Ventura in a blog post on their findings. "We found several obstacles and limitations related to scaling and material physical properties." Even so, the success rate indicates they have a "a very high probability" of unlocking test devices before they default into PIN unlocking. Fingerprint authentication is sufficient to protect most people, they concluded, but could put high-value targets at risk if a well-funded or highly motivated attacker decided to pursue them.

They set a $2,000 budget for materials to put this attack into a real-world context, Ventura explains in an interview with Dark Reading. "We didn't want to have a lot of money," he says. "We wanted to have this within budget so we could see if the average Joe could do this or not." If an everyday person could pull this off, they reasoned, a state-sponsored actor could do it.

There were three key goals for the project: to evaluate security improvements in fingerprint scanners, to understand how 3D printing technology affects fingerprint authentication, and to define a threat model for these attacks. The team created three scenarios for capturing fingerprints and creating molds, each of which was done in a different material depending on the context. The first scenario involved direct collection of the fingerprint; the second used sensor data from a fingerprint scanner. In the third, they lifted fingerprints from another object.

Once collected, the researchers created molds of the fingerprints using a 3D printer, which uses a toxic resin that has to be cured with a UV light. They tested several materials in the molds, including silicon and different kinds of glue mixed with conductive powder. To their surprise, the most effective material in their experiment was low-cost fabric glue.

"That was a surprise for us, the fabric glue," says Rascagneres. "It's the perfect material."

"It took us around three months to be able to do this," says Ventura, who notes this bypass would be "possible but very complex" for an everyday person to pull off. The size of the mold proved the greatest and most time-consuming challenge: when resin was cured under the UV light, the mold would shift in size. Because fingerprints are measured in nanometers, a slight change caused the scan to fail. The team made more than 50 molds throughout the project.

Putting Fake Prints to the Test
The researchers did 20 authentication attempts on each of 13 devices with the best fake fingerprint they were able to create. They tested a range of smartphones, laptops, tablets, and other devices, including the iPhone 8, Samsung S10, Macbook Pro 2018, Lenovo Yoga, and AICase Padlock. On some, they were completely unsuccessful: the Samsung A70 would not grant access to the fake fingerprint; neither would any devices running Microsoft's Windows 10.

Researchers note the A70 also had a low authentication rate with legitimate fingerprints. They emphasize that just because they had no success defeating the Windows login doesn't necessarily mean it's safer. Their project was intentionally low-budget, but a larger budget could enable attackers to develop a more effective means to break in.

As a control, they tested the same fingerprint on the MacBook Pro and achieved the same 95% unlocked success rate using the direct collection method, which proved the most effective of all three methods. The Honor 7x, also from Huawei, and Samsung S10 also showed higher success, particularly with the direct collection and fingerprint scanner methods. The researchers shared their findings with all device vendors.

"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," the researchers write in their post. "However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."

Fingerprint authentication security "hasn't evolved much in seven years," says Ventura. Still, it's "good enough" for most people to rely on for security. They suggest manufacturers limit the number of scanning attempts in order to protect the security of each device. Apple, for example, imposes a limit of five attempts before asking the user for a PIN. Samsung did the same but required users to wait 30 seconds after five failed attempts, which can be repeated 10 times. The Honor device was tested more than 70 times and continued to allow scanning.

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
4/9/2020 | 3:53:41 AM

"Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5."

TouchID debuted with the iPhone 5S, not the iPhone 5.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
Sprecher SPRECON-E firmware prior to 8.64b might allow local attackers with access to engineering data to insert arbitrary code. This firmware lacks the validation of the input values on the device side, which is provided by the engineering software during parameterization. Attackers with access to ...
PUBLISHED: 2020-10-19
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
PUBLISHED: 2020-10-19
A DNS rebinding vulnerability in the UPnP MediaServer implementation in Freebox Server before 4.2.3.
PUBLISHED: 2020-10-19
A ictexpertcsvdownload expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).
PUBLISHED: 2020-10-19
A perfaddormoddevicemonitor expression language injection remote code execution vulnerability was discovered in HPE Intelligent Management Center (iMC) version(s): Prior to iMC PLAT 7.3 (E0705P07).