It has been almost a decade since fingerprint sensors have proliferated as a quick and easy unlock mechanism for smartphones and laptops. There have been attacks on these scanners for just as long, albeit impractical for everyone except the most motivated – and well-funded – hackers. However, new research shows that the devices required to reliably fake fingerprints and penetrate them have become significantly cheaper.
Cisco Talos researchers achieved an 80 percent success rate when fingerprint scanners were defeated on average on a dozen devices. All it took was a 3D printer to get scammers out, and a budget under $ 2,000. They emphasize that fingerprint locks still provide adequate protection against malicious attacks for most requirements, since their technology requires a copy of your fingerprint and physical access to your device. But even normal users should consider potential access requirements for law enforcement when choosing a device lock ̵
"Fingerprint evasion doesn't require a lot of money. Authentication based for most providers," said Craig Williams, who runs Talos. "The fact that 3D printing technology at home can achieve a resolution that makes fingerprints less secure than 10 years ago is worrying because everyone can access these printers. But it's still not easy, it still requires one considerable effort and the ability to capture the pressure. "
The researchers tested three different scenarios for capturing fingerprints. The first was the direct collection, which shaped the relevant fingerprint of the target. The second used sensor data collected from a scanner such as at border crossings, and the third involved taking prints from other objects such as a bottle that had held the target.
To produce the molds, the researchers used a relatively inexpensive UV-3D printer to harden the resin, which extruded it with UV light. Then they tested a range of materials, such as silicone, to cast the final dummy prints. Surprisingly, they had the greatest success when they poured the prints with fabric glue.
In order to make the fingerprints capacitive so that sensor locks interpret them as real fingers, the researchers designed the prints as small sleeves that everyone can wear on their own fingers.
Overall, the results underscore the balance that the manufacturer of fingerprint sensors for Consumers must establish between security and ease of use. If a sensor is set up to withstand false alarms, it may also reject some legitimate attempts to unlock the device. In something like a smartphone or laptop, this friction can cause users to completely abandon the function. However, a too revealing sensor could allow children to get into their parents' tablets. Or worse.
The price of a device did not appear to be a strong indicator of the robustness of its fingerprint sensor. The researchers were unable to fool Samsung's mid-range A70 smartphone – despite having an unusually high number of false negatives – but could consistently break into the flagship Samsung S10. You couldn't outsmart the Windows Hello framework in Windows 10, but you fooled the TouchID of the MacBook Pro. On a 2018 MacBook Pro, the team had a 95 percent unlock success rate with a print from the direct collection, a 93 percent success rate when printing with fingerprint data from a scanner, and a 60 percent success rate canceled at a print from a fingerprint.
The researchers shared their results with the device manufacturers, but say that they do not see the problems as previously unknown vulnerabilities. Instead, their work builds on known fingerprint scanner lock restrictions and underlines the need for ongoing verification. For example, in 2016 researchers from Michigan State University helped the Federal Bureau of Investigation unlock a victim's Samsung Galaxy S6 by reconstructing the victim's fingerprints. Potential law enforcement access is the largest factor that an average user must generally consider when choosing a device lock. In the United States, legal precedent is inconsistent as to whether law enforcement can force a suspect to use a fingerprint to unlock a device. However, in some cases, judges have found that they can force decryption. Currently, data protection advocates say you're less likely to be forced to unlock your law enforcement device if it has a passcode instead of a biometric lock.