Researchers armed with a $2,000 budget and 13 smartphones, laptops, and other devices found it's possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests yielded around an 80% success rate on average; however, the attack isn't easy.
Fingerprint scanners made their way into the mainstream around 2013, when Apple introduced TouchID in the iPhone 5S. Biometric authentication has been made available on several kinds of devices: laptops, smartphones, padlocks, USB drives. Even though hackers were able to bypass TouchID shortly after its release, fingerprint authentication is generally considered a more secure means of authentication than the password for most people, on most types of devices.
Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body's natural electrical current to read prints. Optical sensors use light to scan the print's image. Ultrasonic sensors, the newest type and commonly used for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor proved the easiest to bypass.
"Reaching this success rate was difficult and tedious work," write researchers Paul Rascagneres and Vitor Ventura in a blog post on their findings. "We found several obstacles and limitations related to scaling and material physical properties." Even so, the success rate indicates they have a "a very high probability" of unlocking test devices before they default into PIN unlocking. Fingerprint authentication is sufficient to protect most people, they concluded, but could put high-value targets at risk if a well-funded or highly motivated attacker decided to pursue them.
They set a $2,000 budget for materials to put this attack into a real-world context, Ventura explains in an interview with Dark Reading. "We didn't want to have a lot of money," he says. "We wanted to have this within budget so we could see if the average Joe could do this or not." If an everyday person could pull this off, they reasoned, a state-sponsored actor could do it.
There were three key goals for the project: to evaluate security improvements in fingerprint scanners, to understand how 3D printing technology affects fingerprint authentication, and to define a threat model for these attacks. The team created three scenarios for capturing fingerprints and creating molds, each of which was done in a different material depending on the context. The first scenario involved direct collection of the fingerprint; the second used sensor data from a fingerprint scanner. In the third, they lifted fingerprints from another object.
Once collected, the researchers created molds of the fingerprints using a 3D printer, which uses a toxic resin that has to be cured with a UV light. They tested several materials in the molds, including silicon and different kinds of glue mixed with conductive powder. To their surprise, the most effective material in their experiment was low-cost fabric glue.
"That was a surprise for us, the fabric glue," says Rascagneres. "It's the perfect material."
"It took us around three months to be able to do this," says Ventura, who notes this bypass would be "possible but very complex" for an everyday person to pull off. The size of the mold proved the greatest and most time-consuming challenge: when resin was cured under the UV light, the mold would shift in size. Because fingerprints are measured in nanometers, a slight change caused the scan to fail. The team made more than 50 molds throughout the project.
Putting Fake Prints to the Test
The researchers did 20 authentication attempts on each of 13 devices with the best fake fingerprint they were able to create. They tested a range of smartphones, laptops, tablets, and other devices, including the iPhone 8, Samsung S10, Macbook Pro 2018, Lenovo Yoga, and AICase Padlock. On some, they were completely unsuccessful: the Samsung A70 would not grant access to the fake fingerprint; neither would any devices running Microsoft's Windows 10.
Researchers note the A70 also had a low authentication rate with legitimate fingerprints. They emphasize that just because they had no success defeating the Windows login doesn't necessarily mean it's safer. Their project was intentionally low-budget, but a larger budget could enable attackers to develop a more effective means to break in.
As a control, they tested the same fingerprint on the MacBook Pro and achieved the same 95% unlocked success rate using the direct collection method, which proved the most effective of all three methods. The Honor 7x, also from Huawei, and Samsung S10 also showed higher success, particularly with the direct collection and fingerprint scanner methods. The researchers shared their findings with all device vendors.
"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," the researchers write in their post. "However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."
Fingerprint authentication security "hasn't evolved much in seven years," says Ventura. Still, it's "good enough" for most people to rely on for security. They suggest manufacturers limit the number of scanning attempts in order to protect the security of each device. Apple, for example, imposes a limit of five attempts before asking the user for a PIN. Samsung did the same but required users to wait 30 seconds after five failed attempts, which can be repeated 10 times. The Honor device was tested more than 70 times and continued to allow scanning.
Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19.