New research by Cisco Talos shows that fingerprint-scanning technology can be beaten relatively easily by lifting actual fingerprints and reproducing them through 3D printers.
In the blog post titled “Fingerprint cloning: Myth or reality?”, Cisco Talos researchers Paul Rascagneres and Vitor Ventura detailed how they were able to collect actual fingerprints of real people and then create molds of the prints via 3D printers, which enabled them to bypass the popular smartphone security feature.
On average, the duo boasted an 80-percent success rate with the fake fingerprints.
“Reaching this success rate was difficult and tedious work,” the blog post said. “We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking.”
Rascagneres and Ventura spent about $2,000 over the course of several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei and three lock makers.
The researchers noted that fingerprint authentication is generally effective for everyday users, but the security is riddled with shortcomings when one is looking to protect highly sensitive data. Fingerprint authentication is also a definite no-no if you are the target of nation-sponsored hackers or other well-heeled and skilled attack groups.
The devices that were the most vulnerable were the AICase padlock, Huawei’s Honor 7x and Samsung’s Note 9 Android phones, all of which were bypassed 100 percent of the time. Fingerprint authentication for the iPhone 8, 2018 MacBook Pro and the Samsung S10 didn’t fare much better, as the success rate surpassed 90 percent.
“3D-printing technologies made it possible for anyone to create fake fingerprints,” the blog post said. “But not only that, it also made it possible, with the right resources, to be done at scale.”
Fingerprint scanning is the most common type of biometric authentication used today, ahead of retina scanning and the burgeoning facial-recognition technology. For decades, such use of fingerprints to authenticate users was mostly limited to bigger and well-resourced organizations. That, however, quickly changed in 2013 when Apple introduced the Touch ID.
This isn’t the first time researchers have openly examined the effectiveness of biometric authentication. In 2018, researchers at New York University's Tandon School of Engineering and Michigan State University were able to develop artificial DeepMasterPrints, which are AI-generated images of fake fingerprints that could fool biometric sensors.
Ethen Kim Lieser is a Tech Editor who has held posts at Google, The Korea Herald, Lincoln Journal Star, AsianWeek and Arirang TV.