Researchers with the Cisco Talos cybersecurity group are trying to highlight the limitations of consumer grade fingerprint sensor security with a new paper detailing successful attempts to spoof the fingerprint scanning systems of popular consumer devices.
The researchers claim a success rate of 80 percent, based on this premise: for each device attacked, they allowed themselves twenty attempts to spoof it, and considered their round of attacks successful if they could bypass the system at least once.
As for how they went about spoofing fingerprints, the researchers took three approaches: pressing a target finger into Plastilene, a kind of clay; collating multiple images from a separate fingerprint reader; and capturing fingerprint images from drinking glasses or other transparent surfaces. For the latter two methods, fingerprints were then reconstructed on a mold using a 3D printer, with specialized materials used that could fool both optical and capacitive fingerprint sensors.
In the attacks themselves, the researchers encountered substantially different outcomes depending on the device targeted. Huawei’s Honor 7x and Samsung’s Note 9 smartphones were fooled 100 percent of the time, for example, whereas certain laptops running Windows 10 were able to rebuff every attack.
Speaking to Ars Technica, Talos researchers acknowledged that these commercial fingerprint scanning systems are suitable for the vast majority of consumers, but emphasized that they may not be sufficient for those with higher security needs who may be targeted by more sophisticated criminals or other malefactors.
The research also points to the growing importance of liveness detection technologies aimed at ensuring that a real fingerprint is being used during a biometric scan. Meanwhile, the growing trend toward face-based authentication in smartphones and other consumer devices continues, and may even see heightened interest if the COVID-19 pandemic shifts the biometrics market further toward contactless authentication systems.
April 8, 2020 – by Alex Perala