It's been nearly a decade since fingerprint sensors proliferated as a quick and easy unlocking mechanism for smartphones and laptops. Attacks to defeat these scanners have been around just as long, albeit impractical for all but the most motivated—and well-financed—hackers. But new research shows that the equipment needed to reliably spoof fingerprints and break into devices has gotten dramatically cheaper.
Researchers from Cisco Talos have achieved an 80 percent success rate on average defeating fingerprint scanners across a dozen devices. All it took was a 3D printer to crank out imposters, and a budget under $2,000. They stress that fingerprint locks still provide adequate protection against malicious attack for most needs, since their technique requires getting a copy of your fingerprint as well as physical access to your device. But even regular users should still consider potential law enforcement access requests when choosing a device lock—especially given that the barriers to breaking fingerprint lock defenses are lower than ever.
"It does not take a significant amount of money to bypass fingerprint-based authentication for most vendors," says Craig Williams, who runs Talos. "The fact that home 3D printing technology can reach a resolution that makes fingerprints less secure than they were 10 years ago is concerning, because everyone can access these printers. But it’s still not easy. It still takes a significant amount of effort and the ability to capture the print."
The researchers tested three different scenarios for capturing fingerprints. The first was direct collection, where they took a mold of the target's relevant fingerprint. The second used sensor data gathered from a scanner like those at border crossings, and the third involved lifting prints from other objects like a bottle the target had held.
To make the molds, the researchers used a relatively inexpensive ultraviolet 3D printer that cures the resin it extrudes with UV light. Then they tested a number of materials, like silicone, for casting the final dummy prints. Surprisingly, they had the most success when they cast the prints using fabric glue.
To make the fingerprints capacitive so sensor locks would interpret them as real fingers, the researchers designed the casts as little sleeves that anyone can wear on their own finger, essentially creating a fingerprint disguise.
Overall, the findings highlight the balance that consumer fingerprint sensor makers must strike between security and usability. If a sensor is set to strongly resist false positives it will likely also reject some legitimate attempts to unlock the device. In something like a smartphone or laptop, that friction can cause users to abandon the feature entirely. A sensor that's too permissive, though, could allow kids to get into their parents' tablets. Or worse.
A device's price didn't appear to be a strong indicator of its fingerprint sensor's robustness. The researchers were unable to fool the Samsung's midrange A70 smartphone at all—though did encounter an unusual amount of false negatives—but could consistently break into the flagship Samsung S10. They weren't able to trick the Windows Hello framework in Windows 10, but did fool the MacBook Pro's TouchID. On a 2018 MacBook Pro the team logged a 95 percent unlock success rate with a print cast from direct collection, a 93 percent success rate with a print made using fingerprint data from a scanner, and a 60 percent success rate with a print made from a lifted fingerprint. The researchers noted, though, that Apple's five attempt limit on fingerprint scans is an effective protection overall against such attacks. If the researchers hadn't known the fallback pins of the devices they were attempting to break into, they wouldn't have had enough attempts available to achieve such a high success rate.
The researchers disclosed their findings to the device manufacturers but say that they don't view the issues as previously unknown vulnerabilities. Instead, their work builds on known limitations in fingerprint scanner locks and highlights the need for ongoing scrutiny. In 2016, for example, researchers from Michigan State University helped the FBI unlock a dead person's Samsung Galaxy S6 using a reconstruction of the person's fingerprints. And potential law enforcement access is the biggest factor for the average user to consider in general when choosing a device lock. In the United States, legal precedent has been mixed on whether law enforcement can force a suspect to unlock a device with their fingerprint. But in a number of cases, judges have found that they can compel decryption. For now, privacy advocates say that you're less likely to be forced to unlock your device for law enforcement if it has a passcode rather than a biometric lock.
“I think that fingerprint scanners on consumer smartphones are more a matter of convenience,” says Lukasz Olejnik, an independent cybersecurity researcher and adviser. “They are much better than having no locking measure in place. But a strong PIN is generally more secure.”
For criminal hackers, the average user likely wouldn't be worth targeting with a fingerprint-unlocking attack. But anyone who could be the target of well-funded and motivated attackers should consider locking their devices with passcodes or face-recognition instead of a fingerprint. And as the technology to defeat fingerprint scanners matures even more, the industry as a whole may need to reconsider the calculus.
"We were able to produce useful prints for most vendors," Williams says. "For most users, fingerprint authentication is fine right now. But people just need to be aware that in a few years, as 3D printing technology advances, these biometrics may become something that home users need to consider moving away from."
Updated Wednesday April 8, 2020 3pm ET to include details about Apple's five attempt limit for fingerprint scans.