The 3D printed duplicates worked on phone and a MacBook Pro laptop but not on Windows machines or two USB jump drives.
Two security researchers used a 3D printer and fabric glue to create a fake fingerprint that fooled authentication sensors 80% of the time. The other key ingredients were time and patience: It took 50 tries to create a fake that succeeded.
Security analysts Paul Rascagneres and Vitor Ventura explained their experiment in a new report, “Fingerprint Cloning: Myth or Reality?” The two analysts work for Cisco’s Talos Security Intelligence and Research Group. The researchers used a 3D printer to create a mold and then recreated the fingerprint with fabric glue.
The tests showed an average success rate of about 80%, which means that the fake fingerprints fooled the sensors on laptops, phones, and smart devices at least once. Reaching this success rate was difficult and tedious work, the researchers said.
The biggest challenge was getting the size right for the fake fingerprint; 1 percent too small or too large and the fake fingerprint did not work. Rascagneres duplicated his own fingerprint in the experiment. He said the biggest hurdle was getting the right size for the fake print.
“You need the exact size the sensor is expecting and 3D printing is not designed for that,” he said.
SEE: Cybersecurity: Let’s get tactical (free PDF)
Ventura said the goal of the experiment was to encourage companies and individuals to think twice about relying on fingerprint authentication.
“It’s fine for protecting the average person’s security, but for certain users like journalists or politicians, fingerprints wouldn’t be recommended,” he said.
Ventura said that if a bad actor wanted to install malware on a person’s phone, the biggest impediment is the time it takes to unlock the phone.
He added that fingerprint authentication hasn’t evolved much since 2013 when it was first introduced.
“If anything, it has diminished a little bit because there is technology now that was not available when this was first launched,” he said.
With the experiment the researchers wanted to answer three questions:
- What are the security improvements in fingerprint scanning since it was first defeated on the iPhone 5?
- How does 3D printing technology impact fingerprint authentication?
- What threat models reflect realistic scenarios?
Rascagneres and Ventura also set a low budget for the project, with the assumption that if fingerprints can be replicated with low-cost supplies, the same duplication would be easy for state-sponsored actors with generous funding.
Which devices were fooled?
According to the results of the experiment, mobile phone fingerprint authentication has weakened compared to when it was first broken in 2013. The researchers found no clear advantage among the three types of sensors they tested.
When testing the fake print with a MacBook Pro, the researchers were able to unlock the laptop in 95% of tests. They also tested five Windows platforms and the fake print failed each time. Rascagneres and Ventura wrote that the comparison algorithm that checks the validity of the fingerprint resides in the Windows OS and is shared across all platforms.
“In this case, we think we didn’t succeed because the Microsoft algorithm checks more points on the fingerprint than other algorithms,” Rascagneres said.
Rascagneres said it’s usually harder to fool a fingerprint scanner on a laptop than on a phone.
“With a phone, you unlock it a lot but for a laptop it is different, so it’s easy to have something more strict than on a mobile device,” he said.
The team also tested a padlock and two USB-encrypted pen drives. The padlock authentication was fooled more than 80% of the time, but the fake print never worked with the Verbatim Fingerprint Secure and a Lexar Jumpdrive Fingerprint F35.
The team tested three types of sensors—capacitive, optical, and ultrasonic. According to the report, most of the sensors are developed by third-party companies and then integrated into the device, except for Apple, which builds its own sensors after acquiring AuthenTec in 2012.
The researchers tested these devices:
- iPad fifth generation
- iPhone 8
- Samsung S10
- Samsung Note 9
- Macbook Pro 2018
- HP Pavilion x360
- Huawei P30 Lite
- Honor 7X
- Lenovo Yoga
- A smart padlock
- Lexar Jumpdrive F35
- Verbatim Fingerprint Secure
- Samsung A70
Creating fake prints
The Talos experiment had two stages—collection and creation. First, the researchers collected the targeted fingerprint using three techniques, and then they created a mold. The team used the mold to cast the fake fingerprint and then used the fake to access a device.
They used a 3D UV LED printer with a precision of 25 microns to create the mold. The dermal fingerprint ridges are about 500 microns wide and 20-50 microns deep.
After printing the mold, it had to be cured in a UV chamber for a few minutes to make the object solid. This process also shrank the mold, making it hard to create a consistent size for each mold.
The research team had to print more than 50 molds, create a fake fingerprint with them, and compare the results and sizes with a fingerprint sensor to have a reliable mold and a valid fake fingerprint.