Researchers from Cisco Systems Inc.’s Talos cybersecurity unit today revealed that they’ve managed to unlock devices from Samsung Electronics Co. Ltd., Apple Inc. and other consumer hardware makers using fake fingerprints created with a 3D printer.

Handsets including the iPhone use a built-in fingerprint sensor to enable biometric authentication. So does the MacBook and other laptop models, as well as certain other devices such as security-oriented USB flash drives.

Talos researchers Paul Rascagneres and Vitor Ventura spent several months working out a set of techniques for fooling fingerprint sensors in popular consumer devices. The exact method varies by device, but the basic concept is the same across the board. The researchers obtained a photo of a user’s fingerprint, overlaid the fingerprint onto a mold fabricated in a 3D printer and then made 20 attempts to crack each device they tested.

Talos’ molds achieved an average success rate of about 80%. For a 2018 MacBook Pro model, the success rate was 95%, while the iPhone 8 and Samsung’s latest Galaxy S10 flagship phone were both unlocked in at least 80% of attempts. But the researchers didn’t manage to crack all the devices they tested: Five laptop models with fingerprint sensors powered by Microsoft Corp.’s Windows Hello feature didn’t accept the molds a single time.

“This level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking,” Talos’ Rascagneres and Ventura Ventura detailed in a blog post. “The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

The reason why only sophisticated hackers would be capable of replicating the researchers’ work is twofold. One is that unlocking a fingerprint sensor first requires obtaining a photo of the intended victim’s fingerprint, which is far from trivial. The other obstacle is that producing a functioning mold involves significant technical challenges that took Talos months to overcome.

“During our test, our biggest constraint was the size of the mold,” the researchers detailed. “The fake fingerprint needs to have an exact size. One percent too small or too large and the fake fingerprint did not work.”

Furthermore, “during our tests, it became clear that the material used is a determining factor depending on the kind of sensor, especially when comparing sonic with capacitive sensors,” they added. “To increase our success rate, we used silicon and different kinds of glue, mixed with conductive (graphite and aluminum) powder.”

Such research ultimately helps device makers enhance the security of their products. Last year, after a user accidentally discovered that the Galaxy S10’s fingerprint sensor could be fooled by a simple plastic phone cover, Samsung released a software patch to fix the issue. Research into fingerprint sensors security is also useful for upstream suppliers such as Qualcomm Inc., which makes the scanner that powers the S10’s biometric authentication.

Image: Unsplash