It’s been nearly a decade since fingerprint sensors proliferated as a quick and easy unlocking mechanism for smartphones and laptops. Attacks to defeat these scanners have been around just as long, albeit impractical for all but the most motivated—and well-financed—hackers. But new research shows that the equipment needed to reliably spoof fingerprints and break into devices has gotten dramatically cheaper.
Researchers from Cisco Talos have achieved an 80 percent success rate on average defeating fingerprint scanners across a dozen devices. All it took was a 3D printer to crank out imposters, and a budget under $2,000. They stress that fingerprint locks still provide adequate protection against malicious attack for most needs, since their technique requires getting a copy of your fingerprint as well as physical access to your device. But even regular users should still consider potential law enforcement access requests when choosing a device lock—especially given that the barriers to breaking fingerprint lock defenses are lower than ever.
“It does not take a significant amount of money to bypass fingerprint-based authentication for most vendors,” says Craig Williams, who runs Talos. “The fact that home 3D printing technology can reach a resolution that makes fingerprints less secure than they were 10 years ago is concerning, because everyone can access these printers. But it’s still not easy. It still takes a significant amount of effort and the ability to capture the print.”
The researchers tested three different scenarios for capturing fingerprints. The first was direct collection, where they took a mold of the target’s relevant fingerprint. The second used sensor data gathered from a scanner like those at border crossings, and the third involved lifting prints from other objects like a bottle the target had held.
To make the molds, the researchers used a relatively inexpensive ultraviolet 3D printer that cures the resin it extrudes with UV light. Then they tested a number of materials, like silicone, for casting the final dummy prints. Surprisingly, they had the most success when they cast the prints using fabric glue.
To make the fingerprints capacitive so sensor locks would interpret them as real fingers, the researchers designed the casts as little sleeves that anyone can wear on their own finger, essentially creating a fingerprint disguise.
Overall, the findings highlight the balance that consumer fingerprint sensor makers must strike between security and usability. If a sensor is set to strongly resist false positives it will likely also reject some legitimate attempts to unlock the device. In something like a smartphone or laptop, that friction can cause users to abandon the feature entirely. A sensor that’s too permissive, though, could allow kids to get into their parents’ tablets. Or worse.
A device’s price didn’t appear to be a strong indicator of its fingerprint sensor’s robustness. The researchers were unable to fool the Samsung’s midrange A70 smartphone at all—though did encounter an unusual amount of false negatives—but could consistently break into the flagship Samsung S10. They weren’t able to trick the Windows Hello framework in Windows 10, but did fool the MacBook Pro’s TouchID. On a 2018 MacBook Pro the team logged a 95 percent unlock success rate with a print cast from direct collection, a 93 percent success rate with a print made using fingerprint data from a scanner, and a 60 percent success rate with a print made from a lifted fingerprint. The researchers noted, though, that Apple’s five attempt limit on fingerprint scans is an effective protection overall against such attacks. If the researchers hadn’t known the fallback pins of the devices they were attempting to break into, they wouldn’t have had enough attempts available to achieve such a high success rate.