It is possible to create 'fake fingerprints' in labs that are able to bypass most fingerprint scanners used in popular devices, including those from Apple, Samsung and Huawei.
That's according to the researchers from Cisco Talos, who claim that they created fake fingerprints with the help of 3D printing technology as part of their research. Those fingerprints were then tested on a variety of devices, including laptops, smartphones and other smart devices from different brands.
"Our tests showed that — on average — we achieved an ~80 per cent success rate while using the fake fingerprints, where the sensors were bypassed at least once," stated Paul Rascagneres and Vitor Ventura, two security analysts at Cisco's Talos Security Intelligence and Research Group.
But achieving this success rate was a costly and tedious work, as per the researchers. It took them 50 attempts to create a fake fingerprint that eventually able to bypass scanners.
The researchers said they first created a mould using a 3D printer and then produced the fake fingerprint using the fabric glue.
The main challenge in the entire exercise was to create the correct size for the fake fingerprint. Just a one per cent difference in size meant the fake fingerprint wouldn't be able to fool the scanner.
The researchers tested the following devices in this study:
- iPhone 8
- iPad fifth generation
- Samsung Note 9
- Samsung S10
- Samsung A70
- Macbook Pro 2018
- Honor 7X
- HP Pavilion x360
- Huawei P30 Lite
- Lenovo Yoga
- A smart padlock
- Verbatim Fingerprint Secure
- Lexar Jumpdrive F35
These devices use three main kinds of sensors optical, capacitance and ultrasonic, of which ultrasonic models were easiest to fool.
The researchers said they were able to unlock the MacBook Pro 2018 laptop in 95 per cent of tests, but the fake fingerprint failed each time when tested on five Windows platforms. That does not necessarily mean that Windows devices are safer in terms of fingerprint authentication compared to other devices, according to the researchers. Rather, it could be just that the approach used by them failed to work on those devices.
Two Lexar and Verbatim USBs were also tested, and neither of them was found to be vulnerable to fake fingerprints.
However, the researchers were able to break into an Aicase smart lock.
"For a regular user, fingerprint authentication has obvious advantages and offers a very intuitive security layer," the researchers said.
"However, if the user is a potential target for funded attackers or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."
As authorities seek technological solutions to the pandemic, experts fear the consequences for civil liberties
We must all prepare for the end of public key encryption as we know it
Season One: Empowering the remote working revolution
Microsoft releases early preview of 'hardware-enforced stack protection' feature for Windows 10 Insider previews builds
Hardware-enforced stack protection uses a combination of modern CPU hardware and 'shadow stacks' to protect app code from cyber attacks
Ian Hill of BAM Group warns against being distracted by bells and whistles