Researchers armed with a budget of $ 2,000 and 13 smartphones, laptops and other devices discovered that it was possible to bypass fingerprint authentication with duplicate prints made on a cheap 3D printer. Their tests gave an average success rate of about 80%; however, the attack is not easy.
Fingerprint scanners first appeared around 2013, when Apple introduced TouchID in the iPhone 5S. Biometric authentication is now available on several types of devices: laptops, smartphones, padlocks, USB keys. Even though hackers were able to bypass TouchID soon after its release, fingerprint authentication is generally considered a more secure means of authentication than password for most people, on most types of companies. devices.
Scanner technology has evolved to include three types of sensors: optical, capacitive, and ultrasonic. Each of these sensors reacts differently depending on the materials and collection techniques. The most common type is capacitive, which uses the body’s natural electrical current to read fingerprints. Optical sensors use light to scan the image of the print. Ultrasonic sensors, the newer and commonly used type for on-screen sensors, use an ultrasonic pulse to bounce off the finger; the echo is read by the fingerprint sensor. This type of sensor has proven to be the easiest to circumvent.
“Achieving this success rate has been difficult and time-consuming work,” write researchers Paul Rascagneres and Vitor Ventura in a blog post about their findings. “We found several obstacles and limitations related to the scaling and physical properties of materials.” Even so, the success rate indicates that they have a “very high probability” of unlocking test devices before they default to PIN unlock. Fingerprint authentication is enough to protect most people, they concluded, but could endanger high-value targets if a well-funded or highly motivated attacker decides to prosecute them.
They budgeted $ 2,000 for hardware to put this attack into real context, Ventura explains in an interview with Dark Reading. “We didn’t want to have a lot of money,” he says. “We wanted it to be on budget so we could see if the average Joe could do it or not.” If an ordinary person could pull it off, they believed, a state-sponsored actor could do it.
The project had three key objectives: to assess improvements in fingerprint scanner security, understand how 3D printing technology affects fingerprint authentication, and define a threat model for these attacks. The team created three scenarios to capture fingerprints and create molds, each made of a different material depending on the context. The first scenario involved the direct collection of the fingerprint; the second used data from a fingerprint sensor. In the third, they took the fingerprints of another object.
Once collected, the researchers created molds of the fingerprints using a 3D printer, which uses a toxic resin that must be cured with UV light. They tested several materials in the molds, including silicon and different types of glue mixed with conductive powder. To their surprise, the most effective material in their experience was low cost fabric glue.
“It was a surprise for us, the fabric glue”, explains Rascagneres. “It’s the perfect material.”
“It took us about three months to be able to do it,” says Ventura, who notes that this workaround would be “possible but very complex” for an ordinary person to perform. The biggest and longest challenge was the size of the mold: When the resin was cured under UV light, the size of the mold changed. Since fingerprints are measured in nanometers, a slight change caused the scan to fail. The team made over 50 molds throughout the project.
Putting false impressions to the test
The researchers made 20 authentication attempts on each of the 13 devices with the best fake fingerprint they could create. They tested a range of smartphones, laptops, tablets, and other devices, including the iPhone 8, Samsung S10, Macbook Pro 2018, Lenovo Yoga, and the AICase padlock. On some, they failed completely: the Samsung A70 did not grant access to the fake fingerprint; nor any device running Windows 10 from Microsoft.
The researchers note that the A70 also had a low authentication rate with legitimate fingerprints. They point out that just because they failed to defeat Windows login doesn’t necessarily mean it’s safer. Their project was intentionally low budget, but a larger budget could allow attackers to develop a more efficient means of breaking and entering.
As a control, they tested the same fingerprint on the MacBook Pro and got the same 95% unlock success rate using the direct collection method, which was found to be the most effective of the three methods. The Honor 7x, also from Huawei, and the Samsung S10 have also had better success, especially with the direct collection and fingerprint scanning methods. The researchers shared their findings with all device vendors.
“For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive layer of security,” the researchers write in their article. “However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and two-factor token authentication.”
The security of fingerprint authentication “hasn’t changed much in seven years,” Ventura says. Still, it’s “good enough” that most people rely on security. They suggest that manufacturers limit the number of scan attempts in order to protect the security of each device. Apple, for example, imposes a limit of five attempts before asking the user for a PIN. Samsung did the same but asked users to wait 30 seconds after five failed attempts, which can be repeated 10 times. The Honor device has been tested over 70 times and has continued to allow scanning.