Cisco Talos researchers said they were able to trick biometrics-based user authentication technology on eight mobile devices by using 3D-printed molds to create replicas of users’ fingerprints.
The process Talos researchers developed to fabricate a user’s biometric signature required painstaking effort and, in real life, would require direct or indirect access to a potential victim’s fingerprints. For these reasons, this technique is not something that would likely be used by cybercriminals on a large scale to unlock people’s devices.
However, in a blog post today, Talos argues that a persistent or tenacious adversary could potentially use this technique to compromise a device belonging to a highly targeted individual.
Talos claims its fake fingerprints successfully bypassed biometric sensors about 80% of the time in testing. “[T]its success rate means we have a very high probability of unlocking one of the tested devices before it reverts to pin unlocking,” says the report, authored by Paul Rascagneres and Vitor Ventura. “The results show that fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, someone who might be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
For his experiment, Talos used three different methods to steal users’ fingerprints: through direct collection, as if he were removing them from an incapacitated person; via a fingerprint sensor, such as those used by border security or private security companies; or via a photograph of an object touched by the subject, such as a glass or bottle.
After collecting the fingerprint images, the researchers used a 3D printer to create a mold from which they created fake fingerprints from textile glue. They also tried creating the fake fingers with the 3D printer itself, but the end result was too “fragile, non-conductive, and stiff” to work well. Different resins may have solved this problem, however, the report notes.
The collection methods had their limitations which required some trial and error, but ultimately the researchers achieved varying levels of success in fooling the sensors on a 5th generation iPad, iPhone 8, Samsung S10, Samsung Note9, Huawei P30 Lite, an Honor 7X (also from Huawei), a 2018 MacBook Pro and the AICase Padlock smart lock.
Depending on the device, direct fingerprint collection worked 60-100% of the time, sensor-based collection worked 55-100% of the time, and object-based collection 30-90% of the time. weather. (See table below.) Percentages are based on 20 attempts per device after identifying the best sample of fake fingerprints available.
Talos was unable to fool fingerprint matching algorithms on Windows devices, the Samsung A70 (although authentication rate even on real fingerprints with this phone is “extremely low” , reports Talos), the HP Pavilion X360 and two encrypted USB drives — the Verbatim Fingerprint Secure and the Lexar JumpDrive F35.
Because the researchers’ process required trying multiple fake impressions until they found one that worked consistently, Talos recommends manufacturers limit the number of attempts to unlock a phone to prevent this type of exploit.
“For example, Apple limits users to five attempts before prompting for the PIN on the device. The number of attempts was quickly reached in our testing,” the report said. “Samsung implemented the same mitigation but users have to wait 30 seconds after five failed attempts and we can do this 10 times, bringing the final number of attempts to 50, which is too high for adequate security. We have tested the fingerprint reader on the Honor device more than 70 times so we assume you can do it an unlimited number of times We have the same behavior on the tested padlock where we do not reach any limit of attempts .