Many people around the world use biometric recognition systems as an authentication method, but research conducted by Cisco Talos threat intelligence team demonstrated that fingerprint scanners are not secure. The researchers have managed to hack several devices using a 3-D printer, software, and a low-cost glue.
The research consisted of two stages: collection and creation. The first stage involved collecting a fingerprint directly fr om the targeted user or from a surface touched by the victim. The researchers then used a 3-D printer to create the molds based on the previously gathered information.
For their experiments, the researchers used the publicly available fingerprints of nefarious gangster Al Capone.
The team has created fake fingerprints by filling the mold with low-cost fabric glue and tested them against capacitive, optical, and ultrasonic sensors. Although Cisco Talos did not find major differences in terms of security, the team said that they achieved highest success rate against ultrasonic sensors.
In case of mobile devices (including the iPhone 8 and Samsung S10) and laptops (including the Samsung Note 9, Lenovo Yoga and HP Pavilion X360), the researchers said their fake fingerprints didn't work on the Samsung A70 and had no success against the Windows Hello framework, which is only available on Windows 10. When testing five different Windows platforms the results were the same.
“As a control, we tested the same clone on the MacBook Pro and we got the same 95 percent unlocked success rate. The reason for the better and recurrent results from the Windows platforms is the fact that on all platforms the comparison algorithm resides on the OS, thus is shared among all platforms,” the team said.
The researchers also tested the fake fingerprints on a smart padlock and two USB-encrypted thumb drives from Verbatim and Lexar. In both cases they failed to bypass the fingerprint authentication.
“We achieved an ~80 percent success rate while using the fake fingerprints, wh ere the sensors were bypassed at least once. Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking,” the researchers said.
“The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”