9 April 2020

Researchers fool biometric scanners using 3D-printed fingerprints


Researchers fool biometric scanners using 3D-printed fingerprints

Many people around the world use biometric recognition systems as an authentication method, but research conducted by Cisco Talos threat intelligence team demonstrated that fingerprint scanners are not secure. The researchers have managed to hack several devices using a 3-D printer, software, and a low-cost glue.

The research consisted of two stages: collection and creation. The first stage involved collecting a fingerprint directly fr om the targeted user or from a surface touched by the victim. The researchers then used a 3-D printer to create the molds based on the previously gathered information.

For their experiments, the researchers used the publicly available fingerprints of nefarious gangster Al Capone.

The team has created fake fingerprints by filling the mold with low-cost fabric glue and tested them against capacitive, optical, and ultrasonic sensors. Although Cisco Talos did not find major differences in terms of security, the team said that they achieved highest success rate against ultrasonic sensors.

In case of mobile devices (including the iPhone 8 and Samsung S10) and laptops (including the Samsung Note 9, Lenovo Yoga and HP Pavilion X360), the researchers said their fake fingerprints didn't work on the Samsung A70 and had no success against the Windows Hello framework, which is only available on Windows 10. When testing five different Windows platforms the results were the same.

“As a control, we tested the same clone on the MacBook Pro and we got the same 95 percent unlocked success rate. The reason for the better and recurrent results from the Windows platforms is the fact that on all platforms the comparison algorithm resides on the OS, thus is shared among all platforms,” the team said.

The researchers also tested the fake fingerprints on a smart padlock and two USB-encrypted thumb drives from Verbatim and Lexar. In both cases they failed to bypass the fingerprint authentication.

“We achieved an ~80 percent success rate while using the fake fingerprints, wh ere the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking,” the researchers said.

“The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

Back to the list

Latest Posts

Member of FIN7 cybercrime group sentenced to 10 years in prison

Member of FIN7 cybercrime group sentenced to 10 years in prison

Fedir Hladyr served as a manager and systems administrator for FIN7.
19 April 2021
NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

NSA, CISA and FBI expose 5 security vulnerabilities exploited by nation-state hackers

Russia-linked hackers are using vulnerabilities in popular enterprise equipment to gain access to corporate networks.
19 April 2021
WordPress says it will treat Google’s FLoC ad tracking technology as security issue

WordPress says it will treat Google’s FLoC ad tracking technology as security issue

While FLoC is more private than cookies, security experts argue that the technology could pose a risk to privacy if not implemented right.
19 April 2021