Josh Hendrickson
Fingerprint scanners are a convenient method to access your phones and devices, but they aren’t secure. If you want security, you should stick with a long PIN, or better yet, a password (if possible). Researchers from Cisco Talos underscored that point when they broke into several devices using a $2,000 Resin 3D printer, software, and glue.
Now the point of the research isn’t to suggest that your neighbor could easily get into your device with an off-the-shelf 3D printer and some fingerprint powder. No, the Talos researchers fully admit that what they’ve done is tedious work and would require a budget somewhere in the neighborhood of $2,000.
But, while that’s not “your average Joe” petty cash and Google’d knowledge, it’s well within the realm of many law enforcement and government agency budgets and capabilities.
To test the security of fingerprint authentication in your devices, the Talos team set out to keep the budget relatively low. They then used three methods for collecting fingerprints. First, they created molds using plasticine. Second, they digitally copied fingerprints from a fingerprint sensor—specifically, the type you might use when going customs or entering a business. And third, they took pictures of fingerprints on glass brushed with magnesium powder (similar to the “dusting for fingerprints).
The first method served as a control since it would create the most accurate fingerprint.
They then used software to combine as necessary and enhance the fingerprint data from sensors or pictures and exported it to a 3D Printer file. That let them 3D Print a resin mold (which required a specialized UV capable printer) to create fingerprints. The researchers attempted to 3D Print fingerprints directly, but that failed. Instead, 3D Printed molds combined with textile glue did the trick.
With the fake fingerprints on hand, Talos found it could unlock mobile devices 80% of the time. They tested Apple, Samsung, and Huawei devices and found success with each device, regardless of the type of fingerprint sensor used.
Laptops were a different story. Windows Hello did not fall for the fake fingerprints, but they did fool Apple MacBook Pros. Likewise, Verbatim and Lexar USBs didn’t unlock for the fake fingerprints.
Still, the high success rate on smartphones is telling. That doesn’t mean it was easy; according to Talos, margins of error are small. A fingerprint just 1% too big or too small will fail to unlock devices, for instance. And, due to the curing process, getting a fake fingerprint that worked often took more than 50 mold attempts. Overall Talos described the process as “difficult and tedious.”
But the research shows, for an entity with time, patience, and a budget as low as $2,000, breaking into your fingerprint-locked phone is entirely feasible. If you don’t foresee an issue with that knowledge, features like TouchID still provide plenty of conveniences. But for the most security, switch to a PIN.
Source: Talos
