Advertisement

Researchers use 3D-printed fingerprints to unlock an iPhone8, laptops

It just takes $2,000 and a 3-D printer to get started, they say.
(Getty Images)

At a given moment, countless people around the world are using their fingerprint to unlock their smartphones.

For some, it grants instant access to family photos or grocery lists. For others, like diplomats or corporate executives, more sensitive information is at stake. Now, findings released Wednesday provide the latest reminder that, even as mobile security tightens, outsiders are finding new ways to access user devices.

Researchers at Talos, Cisco’s threat intelligence arm, demonstrated how to use 3D printing and other methods to forge fingerprints and unlock eight models of devices ranging from the iPhone 8 and Samsung S10 smartphones to laptops and padlocks.

The research project was inspired by real-world breaches of fingerprint data. The results proved that, while biometric authentication is an effective way for most technology users to secure their data, determined attackers are capable of using the same security mechanism as an entry point, if they have the time, access and resources. (Talos did not point to any examples of successful attacks that have occurred outside of its testing environment.)

Advertisement

The forged fingerprints had a roughly 80% success rate in unlocking devices they were able to bypass at least once.

“At the end of the day…if you’re an Average Joe, you should use fingerprinting because it’s not that big of a problem,” said researcher Vitor Ventura.

But it’s a different story for those in possession of trade secrets or government communications. He advised those high profile targets to use strong passwords and a second factor of authentication to unlock data on their phones.

Ventura and his colleague, Paul Rascagneres had $2,000 to spend on the project. They reproduced their own fingerprints using a 3D printer, and then created “molds” of the prints using textile glue.

With a bigger budget and a better 3D printer, they say, they might have reproduced phone-unlocking fingerprints at scale.

Advertisement

Real-world exposures of fingerprint data bring urgency to the issue.

Last year, a database maintained by Suprema, a contractor used by British police and banks, exposed the fingerprints of more than 1 million people, the Guardian reported. The 2015 breach of the U.S. Office of Personnel Management compromised the fingerprints of 5.6 million current and former government employees. Such incidents offer spies a wealth of data to sift through and potentially exploit in future operations.

Other forms of biometric authentication aren’t immune to these issues. Google in October addressed a flaw in its facial recognition system that allowed a user to unlock a certain phone model with their eyes closed.

Ventura and Rascagneres shared their results with the device vendors. One simple recommendation: limit the number of authentication attempts allowed via fingerprints. Some vendors already do that, but the practice should be widespread, the Talos researchers say.

They worry that fingerprint security measures haven’t kept pace with emerging technologies like 3D printing.

Advertisement

“[Our] level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking,” Ventura and Rascagneres wrote in a paper.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts