3D-printed 'fake fingerprints' can bypass fingerprint scanners, researchers warn
Ultrasonic sensors are easiest to fool
It is possible to create 'fake fingerprints' in labs that are able to bypass most fingerprint scanners used in popular devices, including those from Apple, Samsung and Huawei.
That's according to the researchers from Cisco Talos, who claim that they created fake fingerprints with the help of 3D printing technology as part of their research. Those fingerprints were then tested on a variety of devices, including laptops, smartphones and other smart devices from different brands.
"Our tests showed that — on average — we achieved an ~80 per cent success rate while using the fake fingerprints, where the sensors were bypassed at least once," stated Paul Rascagneres and Vitor Ventura, two security analysts at Cisco's Talos Security Intelligence and Research Group.
But achieving this success rate was a costly and tedious work, as per the researchers. It took them 50 attempts to create a fake fingerprint that eventually able to bypass scanners.
The researchers said they first created a mould using a 3D printer and then produced the fake fingerprint using the fabric glue.
The main challenge in the entire exercise was to create the correct size for the fake fingerprint. Just a one per cent difference in size meant the fake fingerprint wouldn't be able to fool the scanner.
The researchers tested the following devices in this study:
- iPhone 8
- iPad fifth generation
- Samsung Note 9
- Samsung S10
- Samsung A70
- Macbook Pro 2018
- Honor 7X
- HP Pavilion x360
- Huawei P30 Lite
- Lenovo Yoga
- A smart padlock
- Verbatim Fingerprint Secure
- Lexar Jumpdrive F35
These devices use three main kinds of sensors optical, capacitance and ultrasonic, of which ultrasonic models were easiest to fool.
The researchers said they were able to unlock the MacBook Pro 2018 laptop in 95 per cent of tests, but the fake fingerprint failed each time when tested on five Windows platforms. That does not necessarily mean that Windows devices are safer in terms of fingerprint authentication compared to other devices, according to the researchers. Rather, it could be just that the approach used by them failed to work on those devices.
Two Lexar and Verbatim USBs were also tested, and neither of them was found to be vulnerable to fake fingerprints.
However, the researchers were able to break into an Aicase smart lock.
"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," the researchers said.
"However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."