For nearly a decade now, fingerprint authentication has been a quicker and easier alternative for password security for smartphones and laptops. The early forms of fingerprint authentication were quickly bypassed; nevertheless, ever since the debut of Apple’s TouchID in the iPhone 5 seven years ago, the technology has become more advanced. However, researchers are now debating whether these fingerprint sensors can be tricked and defeated by 3D printers. Cisco Talos has found that it is possible for the three main kinds of sensors now used in fingerprint authentication to be bypassed.
The three kinds are optical, capacitance, and ultrasonic. Optical sensors are detectors that convert light, or a change in light, into an electronic signal; whereas capacitance sensors do the same to scan and generate an image of a finger, but with electrical current. Ultrasonic sensors use ultrasonic waves to bounce off a physical a finger, to create a more detailed and secure 3D map.
Two researchers, Paul Rascagneres and Vitor Ventura of Cisco Talos, published In a blog post on April 8, titled “Fingerprint cloning: myth or reality?“, the results of a study into how the sensors used in fingerprint biometric systems can be deceived, resulting in devices providing access to anyone.
“We wanted to see if fingerprint authentication was as safe as it should be,” Ventura said.
Conducting the research using 3D printers
With a 3D printer and a budget of less than $2,000 Researchers from Cisco Talos have achieved an 80 percent success rate on average defeating fingerprint scanners across a dozen devices. Although researchers said they had to create more than 50 molds and test them manually, which took months.
“It does not take a significant amount of money to bypass fingerprint-based authentication for most vendors,” Cisco Talos says. “The fact that home 3D printing technology can reach a resolution that makes fingerprints less secure than they were 10 years ago is concerning because everyone can access these printers. But it’s still not easy. It still takes a significant amount of effort and the ability to capture the print.”
The duo collected actual fingerprints of real people and created molds of the prints with 3D printers.
To make the molds, the researchers used an ultraviolet 3D printer. Then they tested several materials for casting the final dummy prints. Interestingly, they had the most success, casting the prints using fabric glue. They designed the casts as little sleeves that anyone can wear on their own finger.
The team tested devices manufactured by Samsung, Apple, and Huawei which were tricked by the attacks.
“3-D printing technologies made it possible for anyone to create fake fingerprints. But not only that, it also made it possible, with the right resources, to be done at scale,” Rascagneres and Ventura wrote.
“We were able to produce useful prints for most vendors,” Williams says. “For most users, fingerprint authentication is fine right now. But people just need to be aware that in a few years, as 3D printing technology advances, these biometrics may become something that home users need to consider moving away from.”
Secure Your Organization’s Mind with Securemind.se