Researchers at Cisco Talos cybersecurity group demonstrated how they were able to trick and bypass the fingerprint authentication systems on phones, laptops, and other devices by using fake fingerprints created with 3D printing technology and textile glue.
According to researchers, Paul Rascagneres and Vitor Ventura, the printed fake fingerprints were tested on a wide range of devices and they were able to achieve roughly an 80% success rate on average.
There are three main types of fingerprint sensors: capacitive, optical and ultrasonic. Each of these sensors operates slightly differently depending upon the material and collection methods used in the mould.
The most common type is capacitive, which uses the body’s natural electrical current to read the fingerprints, while optical sensors use light to scan and create an image of a finger. Ultrasonic sensors, the newest type and frequently used for on-screen sensors, use ultrasonic waves to bounce off a physical object, in this case, a finger; the echo is read by the fingerprint sensor, which makes ultrasonic sensor the easiest to bypass.
“Our tests showed that — on average — we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties,” Vitor Ventura and Paul Rascagneres of Talos explained in their research analysis.
“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking. The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
The researchers used a 3D printer to create molds and cured them in a UV chamber. They used the molds to create fake fingerprints and then cast them onto materials that included silicon and fabric glue.
“During our tests, it became clear that the material used is a determining factor depending on the kind of sensor, especially when comparing sonic with capacitive sensors. To increase our success rate, we used silicon and different kinds of glue, mixed with conductive (graphite and aluminum) powder,” they said.
The researchers had a budget of $2,000 as well as 13 smartphones, laptops, and other devices for the testing process. To start the testing process, the researchers used infamous gangster Al Capone’s publicly available fingerprints as an example. Mobile devices proved to be the best targets, as most people commonly use fingerprint sensors on their devices.
“These devices were also the targets of some of the first research into fingerprint authentication, which should give this platform more maturity in the technology. However, the results show that mobile phone fingerprint authentication has weakened compared to when it was first broken in 2013,” they said.
The fake fingerprints were successfully tested by the researchers on iPhone 8, Samsung S10, Huawei P30 Lite, MacBook Pro 2018, iPad 5th Gen, Samsung Note 9, Honor 7X, and an AICase Padlock. However, they were unable to access the Samsung A70 phone, the Lexar Jumpdrive Fingerprint F35, or the Verbatim Fingerprint Secure USB-encrypted pen drive.
The researchers concluded that fingerprint authentication is adequate for the majority of the population considering the process to bypass it is very complex, time-consuming and expensive for an everyday person to pull off.
“For a regular user of fingerprint authentication, the advantages are obvious, and it should be used. However, if the user is a more high-profile or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication,” they wrote.