Biometric authentication, including facial recognition and fingerprint scanners, is increasingly common, but that doesn’t mean they’re safe from hackers.
At the DEFCON Virtual Security Conference on August 8, security researcher Yamila Levalle of Dreamlab Technologies explained how she was able to bypass biometric authentication for a number of different types of fingerprint scanners. During his session, Levalle explained various workaround methods, including the use of a budget 3D printer, which has shown positive results.
“Biometrics is the science that helps establish or determine an identity, based on an individual’s physical or behavioral traits,” explained Levalle. “Biometric systems are basically pattern recognition systems that read as input biometric data, then extract the feature set from that data and finally compare it to a template stored in a database.”
Attacks on biometric systems
There are several types of possible attacks against biometric systems.
There are physical attacks against the sensors and there are presentation and impersonation attacks. Levalle noted that she was focusing on identity theft attacks: trying to trick a system into believing that a fraudulent fingerprint was in fact genuine.
Attacks on biometric systems are also not hypothetical and occur in the real world, which inspired Levalle to conduct his research. In his home country, Argentina, six employees of the airline Aerolineas Argentinas were arrested in 2019 for falsifying presence at work. Airline employees reportedly used silicon fingerprints to register other people who were not at work.
Tricking fingerprint scanners with 3D printed molds
Levalle explained that a fingerprint scanner doesn’t need to find all of the distinguishing features of a human fingerprint to work. On the contrary, she noted that it was just a matter of finding a sufficient number of features and patterns that the two prints had in common.
As part of her research to see if it is possible to use a 3D printed fingerprint that can fool the majority of scanners, she said that a UV Resin type 3D printer is needed. For her research, she used the economical Anycubic Photon 3D printer, as it can print at a resolution of 25 microns. Levalle said the ridges in human fingerprints can range between 20 and 60 microns in height.
The first step in his research was to lift the latent fingerprint with a digital camera that had macro image functionality. The image was then digitally enhanced with an open source python tool to optimize the fingerprint. The next step was to integrate the image into a 3D modeling tool, like TinkerCAD, to create the actual model.
The hardest part of the process according to Levalle was setting the fingerprint length and width to the same size as the original, which was not an easy task as she did not have a digital microscope for take measures. Eventually, after more than 10 tries, she managed to 3D print a fingerprint that could trick scanners.
“It’s not easy to duplicate the fingerprint, it takes time and experience, but it can be done,” she said.