“While Levalle’s findings should obviously be concerning to any organization that relies on fingerprint authentication for security, the time, expertise, and equipment needed to create the fake likely makes it prohibitively difficult for most people.”
Argentinian security researcher Yamila Levalle warned attendees about the threat of fingerprint spoofing during a presentation at the DEFCON virtual security conference on August 8, reports Info Security Magazine. In her presentation, Levalle explained how she was able to turn a latent print into a passable fake finger that was able to trick several different kinds of fingerprint scanners.
To create her fake print, Levalle started out with a digital camera with macro image capabilities. She used the camera to lift a latent fingerprint, and then optimized that print with an open source Python tool. After that, she imported the print into a 3D modeling tool to generate a template that could be sent to a 3D printer.
The final stage was the actual 3D printing of the finger. Levalle noted that human fingerprint ridges have a height that is somewhere between 20 and 60 microns, so she used a consumer-grade Anycubic Photon 3D printer with a resolution of 25 microns. However, she indicated that she would have been able to achieve similar results with any UV Resin type 3D printer that offered a comparable level resolution.
That last part required some trial and error, since Levalle did not have a surefire way to match the length and width of her fake finger to the length and width of the original. She was eventually able to produce a convincing fake after more than 10 tries.
“It’s not easy to duplicate the fingerprint,” said Levalle. “It takes time and experience, but it can be done.”
While Levalle’s findings should obviously be concerning to any organization that relies on fingerprint authentication for security, the time, expertise, and equipment needed to create the fake likely makes it prohibitively difficult for most people. FPC has said as much in the past, arguing that such fakes are impractical for large-scale criminal operations.
Even so, the results do indicate that many biometric authentication systems may be more vulnerable than their creators would like to acknowledge. At the very least, most companies are not as bold as FaceTec, which recently upped its bounty and is now offering up to $100,000 to anyone who can spoof its facial recognition system. No one has been able to claim the prize thus far.
Source: Info Security Magazine
August 12, 2020 – by Eric Weiss