Show vulnerabilities with patch / with exploit
9 April 2020

Researchers fool biometric scanners using 3D-printed fingerprints


Researchers fool biometric scanners using 3D-printed fingerprints

Many people around the world use biometric recognition systems as an authentication method, but research conducted by Cisco Talos threat intelligence team demonstrated that fingerprint scanners are not secure. The researchers have managed to hack several devices using a 3-D printer, software, and a low-cost glue.

The research consisted of two stages: collection and creation. The first stage involved collecting a fingerprint directly fr om the targeted user or from a surface touched by the victim. The researchers then used a 3-D printer to create the molds based on the previously gathered information.

For their experiments, the researchers used the publicly available fingerprints of nefarious gangster Al Capone.

The team has created fake fingerprints by filling the mold with low-cost fabric glue and tested them against capacitive, optical, and ultrasonic sensors. Although Cisco Talos did not find major differences in terms of security, the team said that they achieved highest success rate against ultrasonic sensors.

In case of mobile devices (including the iPhone 8 and Samsung S10) and laptops (including the Samsung Note 9, Lenovo Yoga and HP Pavilion X360), the researchers said their fake fingerprints didn't work on the Samsung A70 and had no success against the Windows Hello framework, which is only available on Windows 10. When testing five different Windows platforms the results were the same.

“As a control, we tested the same clone on the MacBook Pro and we got the same 95 percent unlocked success rate. The reason for the better and recurrent results from the Windows platforms is the fact that on all platforms the comparison algorithm resides on the OS, thus is shared among all platforms,” the team said.

The researchers also tested the fake fingerprints on a smart padlock and two USB-encrypted thumb drives from Verbatim and Lexar. In both cases they failed to bypass the fingerprint authentication.

“We achieved an ~80 percent success rate while using the fake fingerprints, wh ere the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking,” the researchers said.

“The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

Back to the list

Latest Posts

REvil ransomware group announces its first ever stolen data auction

REvil ransomware group announces its first ever stolen data auction

REvil ransomware operators escalate their extortion tactics.
3 June 2020
Apple fixes recent iPhone “unc0ver” jailbreak flaw

Apple fixes recent iPhone “unc0ver” jailbreak flaw

The vendor issued the security patches less than a week after the hackers have released jailbreak tool called “Unc0ver”.
3 June 2020
DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

DopplePaymer ransomware operators leak NASA-related files allegedly stolen from DMI

The gang says it breached the network of one of NASA IT contractors.
3 June 2020
Featured vulnerabilities
MitM attack in GnuTLS
Medium Patched | 04 Jun, 2020
Spoofing attack in Docker
Medium Patched | 03 Jun, 2020
Information disclosure in GitLab
Medium Patched | 03 Jun, 2020
Multiple vulnerabilities in Google Chrome
High Patched | 03 Jun, 2020
Privilege escalation in ABB Central Licensing System
Medium Not Patched | 03 Jun, 2020