Researchers have sought to put to bed a persistent debate: whether or not fingerprint-based biometric authentication can be fooled.
On Wednesday, Cisco Talos researchers Paul Rascagneres and Vitor Ventura published the results of an in-depth study into how the sensors used in fingerprint biometric systems can be duped, resulting in smartphones and tablets providing access to those other than their owners.
As we move away from traditional passwords to biometrics including fingerprints, facial recognition, and retina scanning, the study sought to understand the ways these authentication systems could be compromised.
Our fingerprints are unique and now used to lock everything from PCs to smartphones. While early forms of fingerprint authentication were quickly bypassed after the debut of Apple's TouchID in the iPhone 5 seven years ago, the technology has now not only expanded to include a vast range of devices but also has become more advanced.
However, Cisco Talos has found that it is possible for the three main kinds of sensors now used in fingerprint authentication to be bypassed.
The three kinds are optical, capacitance, and ultrasonic. Optical sensors use light to scan and generate an image of a finger, whereas capacitance sensors do the same, but with electrical current. Ultrasonic sensors use ultrasonic waves to bounce off a physical object, in this case, a finger, to create a more detailed -- and therefore potentially more secure -- 3D map.
The researchers say that on average, they achieved roughly an 80% success rate to access test devices while using fake fingerprints, with each form of sensor bypassed at least once.
However, this doesn't mean that circumventing today's biometric authentication standards is an easy task. In actuality, the team called it "difficult and tedious work" with a number of limitations.
Different models of smartphones, laptops, USB drives, and smart padlocks were tested, each of which was locked through a number of participants' fingerprints.
In real-world scenarios, the researchers say fingerprints could be collected when an individual is incapacitated, through the theft of biometric data stored by organizations such as customs departments, or via physical objects such as glasses.
Fingerprints were collected and then copied by way of 3D-printed molds, of which over 50 had to be created and cast in different materials, including silicon and textile glue -- the latter of which worked best when fingerprints needed to be conductive.
With the help of 3D printers, design software, and graphite powder to enhance fingerprint details, the team tested smartphones, of which there appeared to be no real advantage between using different forms of sensors.
Devices manufactured by Samsung, Apple, and Huawei were tested and fell prey to the attacks. According to the researchers, rather than improve, mobile phone fingerprint authentication "has weakened compared to when it was first broken in 2013."
When it comes to laptops, however, Microsoft Windows won out against many other platforms. Attempts to break a total of five models running Windows 10, and the Windows Hello framework, were all unsuccessful -- whereas a 95% unlocked success rate using the same prints occurred on Apple MacBook Pros.
Two Verbatim and Lexar USBs were tested; neither of which were vulnerable to the techniques employed. An Aicase smart lock, which did not include an attempts limit, however, was broken.
The report concludes that while sensors can be fooled, the time and manual tests required revealed there is no 'one size fits all' method to bypass all fingerprint authentication systems. However, it was still possible to bypass locks on smartphones, laptops, and padlocks.
"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," Cisco Talos says. "However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."
Previous and related coverage
- ObliqueRAT linked to threat group launching attacks against government targets
- JhoneRAT exploits cloud services to attack Middle Eastern countries
- Loda Trojan revitalized with stealthy upgrade, new exploits
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0