For years, the security of fingerprint-based authorization has been a topic of fierce debate. Back in 2013, shortly after the release of the iPhone 5S with TouchID, researchers showed the technology was crackable by photographing a fingerprint on a glass surface and using it to make a mold that could fool the system. But technology never stands still, and improvements showed hope.
Last year, for example, manufacturers began equipping smartphones with ultrasound fingerprint scanners concealed under the screen, doing away with the need for additional panels and being, at least in theory, more secure.
Our colleagues at Cisco Talos decided to see how easily they could trick various types of fingerprint scanners in modern devices, or whether the technology is at last secure.
Fingerprint authorization — theory
First, a refresher on how fingerprint scanners work. The basic idea is simple: Place your finger on a smartphone or laptop scanner or smart lock and the sensor extracts an image of your fingerprint. Each type of scanner recognizes fingerprints in its own way. The Cisco Talos team focused on the three most popular:
- Capacitive scanners are the most common. They create an image by means of a small electric charge generated by miniature built-in capacitors that can store electricity. When the finger touches the scanner, it discharges these capacitors. Greater contact (fingerprint ridges) causes more discharge; gaps between the skin and the sensor (fingerprint valleys) cause less. The scanner measures the difference and determines the pattern.
- Optical scanners basically take a photograph of the fingerprint. The device lights up the finger through a prism, the ridges and valleys reflect this light differently, and the sensor reads the information and converts it into an image.
- Ultrasound scanners use an ultrasound signal instead of light, and record the echo generated by ridges and valleys (as with light reflection, ridges and valleys have different echoes). This type of scanner does not need to be in contact with the finger, so it can be located under the screen. What’s more, it “hears” not only the part of the finger close to the surface, but also the edges further away from the sensor, so that the image is closer to three-dimensional, which helps the scanner detect fakes using flat copies of prints.
Having gotten your fingerprint, the scanner or operating system matches it against the one stored in the device. Because no existing fingerprint-reading method is perfect, each manufacturer allows a certain margin of error.
The higher that margin, the easier it is to fake a fingerprint. If the settings are stricter and the margin of error is lower, the scanner is harder to trick, but the gadget is also more likely to fail to recognize its real owner.
How the researchers faked fingerprints
To make a physical copy of a fingerprint, you obviously have to acquire one. The research team found three ways to do that.
How to steal a fingerprint. Method 1: Make a mold
It is possible to take a mold of the target fingerprint when, say, the victim is unconscious or indisposed. Any soft material that sets is suitable; for example, modeling clay.
An attacker can then use the mold to make a fake fingertip. The obvious difficulty is that the attacker needs the victim to be in a suitable state and physically accessible.
How to steal a fingerprint. Method 2: Get hold of a scanner image
Another way is to get hold of a fingerprint taken with a scanner. This method is technically more complicated, but the good news for petty thieves is that not all companies that handle biometric data store it reliably. So it’s not impossible to find scanned fingerprints online or buy them cheaply on the darknet.
Next, the flat image has to be turned into a 3D model and printed on a 3D printer. First, the program in which the researchers created the drawing did not allow them to set its size. Second, the photopolymer used in the budget 3D printer had to be heated after printing, which altered the dimensions of the model.
Third, when the researchers finally managed to make a proper model, it turned out that the polymer it was made of was too hard, and not a single scanner was fooled by it. As a workaround, instead of a model of a finger, the researchers decided to print a cast, which they then used to make a prosthetic finger from a more elastic material.
How to steal a fingerprint. Method 3: Take a photo of a fingerprint on a glass surface
Another option, and also the simplest, is to photograph the target fingerprint on a glass surface. That’s exactly what happened in the case of the iPhone 5S. The image is processed to get the required level of clarity, and then, as before, goes to a 3D printer.
As the researchers noted, the experiments with 3D printing were long and tedious. They had to calibrate the printer and find the right-size mold by trial and error, and the actual printing of each model (50 in total) with the required settings took an hour. So, making a fake fingerprint to unlock a stolen smartphone isn’t something that can be done quickly. Nor is copying the fingerprint of a sleeping victim a super-fast method.
Making a mold to fabricate the fingerprint is half the battle. The choice of material for the model itself turned out to be far more difficult, because the fake was bound for testing on three types of sensors, each with a different fingerprint-reading method. For example, whether a material can conduct current is irrelevant for ultrasonic and optical sensors, but not for the capacitive type.
However, as it happens, this part of the process is accessible to anyone: The best material for fake prints is cheap fabric glue.
What devices were cracked with fake fingerprints
The researchers tested their fakes on a number of smartphones, tablets, and laptops from different manufacturers, as well as on a smart lock and two USB drives protected with a fingerprint sensor: the Verbatim Fingerprint Secure and the Lexar Jumpdrive Fingerprint F35.
The results were rather discouraging: The majority of smartphones and tablets could be tricked 80%–90% of the time, and in some cases the success rate was 100%. The 3D-printed molds were at the less-effective end of the scale, but the difference wasn’t really big; all of the three methods described above are actually working well.
There were exceptions. For instance, the research team was completely unable to crack the Samsung A70 smartphone — although it’s worth mentioning that the A70 is also the most likely not to recognize its real owner.
Devices running Windows 10 also turned out to be impenetrable, regardless of the manufacturer. The researchers ascribe this remarkable consistency to the fact that the operating system itself does the fingerprint matching, so not much depends on the device manufacturer.
Meanwhile, the protected flash drives proved themselves worthy of the name, although our colleagues warn that they too could be susceptible to a more sophisticated attack.
And last but not least, the easiest of all to fool were ultrasonic fingerprint scanners. Despite their ability to perceive a 3D image, they read fake prints as genuine when a real finger pressed the fake to the sensor.
Fingerprint protection for ordinary users
According to the researchers, the security of fingerprint-based authorization leaves a lot to be desired, and to some extent the situation has even deteriorated compared with previous years.
That said, making a fake finger is a rather expensive process, at least timewise, which means that the ordinary user has nothing to fear. But if you happen to be in the crosshairs of a well-funded criminal group or intelligence service, it’s a different story. In that case, it is best to protect all your devices with a good old-fashioned password. After all, cracking a strong one is more difficult, and you can always change it if you suspect it might have fallen into the wrong hands.