ktsdesign - Fotolia
Fingerprint authentication is generally effective for the average user, but not when it comes to more high-profile users or devices containing sensitive data, according to new research by Cisco Talos.
In a blog post published on April 8, titled "Fingerprint cloning: myth or reality?", Cisco Talos researcher Paul Rascagneres and technical lead and security researcher Vitor Ventura concluded that "phone and computer fingerprint scanners can be defeated with 3-D printing." The duo collected actual fingerprints of real people -- including notorious gangster Al Capone -- and then created molds of the prints with 3D printers.
Rascagneres and Ventura achieved, on average, about an 80% success rate while using the fake fingerprints, where the sensors were bypassed at least once, according to the research. Fingerprint scanning is the most common kind of biometric authentication, ahead of retina scanning and facial recognition technology.
"We wanted to see if fingerprint authentication was as safe as it should be," Ventura said.
Utilizing Rascagneres' ability as a 3D artist, the researchers tested different brands and models of devices, and developed threat models to match real world scenarios.
"With recent leaks of biometric information along with advances in 3D printing and the mass usage of fingerprint authentication, we wanted to know how hard it would be to create a fake fingerprint," Rascagneres said. "We had two main goals: make it as close as possible to the real-world experience and share our process to the world and show how hard it is to be done with a low budget."
They imposed "budgetary restrictions with the assumption that if it can be done on a low budget, it can be done by state-sponsored actors," the researchers wrote in the blog.
"With our budget, it was time-consuming," Rascagneres said. "Each attempt costs hours. However, a well-funded actor could acquire better and more expensive printing, such as medical devices. With a bigger budget, we think the process could be improved and more accurate."
While conducting their research, they found that their 3D printing approach did not work on Windows Hello biometric authentication.
"We think the Microsoft algorithm is stricter," Rascagneres said. "Fingerprint authentications need to control a number of points on the fingerprints. We assume Microsoft Windows needs more points than other devices."
The blog also refers to Apple, stating that "most sensors are developed by a third party with the exception of Apple," which is an advantage.
"From an implementation point of view, it is easier to be the owner of the complete stack," Rascagneres said.
This isn't the first time researchers have questioned the effectiveness of biometric authentication. For example, in 2018 researchers at New York University Tandon and Michigan State University developed DeepMasterPrints, which are AI-generated images of fake fingerprints that could fool biometric sensors.
Two years later, and Rascagneres and Ventura have discovered that fingerprint technology still has not evolved enough to be generally considered safe for all the proposed threat models.
Now, threat actors can move from high level machine learning-generated attacks such as DeepMasterPrints, to lower-level, inexpensive printing attacks.
"3-D printing technologies made it possible for anyone to create fake fingerprints. But not only that, it also made it possible, with the right resources, to be done at scale," Rascagneres and Ventura wrote in the blog.