Using simple collection methods, relatively cheap materials, and a consumer-grade 3D printer, researchers have constructed fake fingerprints that are able to bypass the fingerprint authentication systems on phones, laptops, and other devices with as much as an 80 percent success rate in some cases.
The researchers tested their printed fingerprints on a wide range of devices, including iPhones, Samsung phones, MacBooks, Windows laptops, and even some smart locks and USB drives. The success rate varied by platform and the type of fingerprint sensor used on the device; for example, the printed fingerprints didn’t work at all on Windows 10 laptops or the Samsung Galaxy A70. But the molded fingerprints worked pretty well against some iPhones, MacBook Pros, and other Android phones. The results of the research done by members of the Cisco Talos group show that while fingerprint authentication technology can be bypassed in some scenarios, it still presents a strong method of authentication in most use cases.
“Our tests showed that — on average — we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties,” Vitor Ventura and Paul Rascagneres of Talos said in their research analysis.
“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking. The results show fingerprints are good enough to protect the average person's privacy if they lose their phone.”
Attacks like the ones the Talos researchers performed are by no means simple or easy to execute. Rascagneres said the entire project took several months from start to finish. There are a number of difficult challenges involved, beginning with the collection of the target’s fingerprint. In this case, the researchers used three different methods: directly collecting a print in clay, collecting a print via a fingerprint sensor, and lifting a sample fingerprint from a glass. Each method has its advantages and disadvantages, and the researchers needed to use special methods to optimize and enhance each print. Another challenge is determining the ideal type of material for the mold, and after some trial and error, the researchers found that the best material varies by the type of sensor.
“For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer."
There are several types of fingerprint sensors, including ultrasonic, capacitive, and optical. Each one operates slightly differently, so the material used in the mold matters quite a bit.
“During our tests, it became clear that the material used is a determining factor depending on the kind of sensor, especially when comparing sonic with capacitive sensors. To increase our success rate, we used silicon and different kinds of glue, mixed with conductive (graphite and aluminum) powder,” the researchers said.
After making the 3D-printed molds, the researchers cured them in a UV chamber and then used the molds to create the fingerprints. They then began the testing process. Mobile devices, which represent the most common use case for fingerprint sensors for most people, proved to be the best targets.
“These devices were also the targets of some of the first research into fingerprint authentication, which should give this platform more maturity in the technology. However, the results show that mobile phone fingerprint authentication has weakened compared to when it was first broken in 2013,” they said.
As with security in general, the effectiveness of a specific defensive technique or technology will depend greatly on the threat model. Most people are relying on fingerprint sensors to protect against a random stranger being able to unlock their phone if it's lost or stolen, and they do a proper job at that. Someone who might be the target of an intelligence agency or other well-funded attacker has a different threat model and may want to employ other measures.
“For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer. However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication,” Ventura and Rascagneres said.