For a fairly long period of time, fingerprints have been used as a basis for the development of biometric authentication and security systems for particularly important resources, for access to restricted areas, for the protection of strategic assets in general in the government sector. , military and corporate.
A scenario that has changed significantly since 2013 with the introduction of Apple TouchID: although biometric authentication systems based on fingerprints had been available at consumer level for some time, on selected devices, the debut of the iPhone 5S which owes their diffusion to almost all smartphones, and therefore their availability to the wider public . The public immediately appreciated these systems (then later flanked and / or partially supplanted by those based on facial recognition) because they are more practical to exploit rather than having to enter a password or a pin whenever it is necessary to authenticate.
Although then hackers managed to violate TouchID with an artificial fingerprint within 48 hours of the iPhone 5S launch, fingerprint-based authentication has become more robust in general in recent years so much so that today fingerprint systems are widely considered a safe alternative to passwords. Safe but how much and for whom?
It's the Cisco security division, Talos, to sound the alarm: fingerprint systems may not be suitable for everyone and specifically for those who may be targets of interest for attackers supported by governments or well-financed figures and determined to achieve their goals.
The team of researchers Talos therefore took care to test the fingerprint-based authentication systems made available by Apple, Microsoft, Samsung, Huawei and three manufacturers of "smart" padlocks, discovering that on average artifact fingerprints manage to deceive these sensors almost 80% of the time.
The results of the Talos analyzes were obtained after several months of hard work, with over 50 fingerprint molds created before making one suitable for use. However, the study underlines how the assumptions of the attack – which requires above all the possibility of obtaining a clear image of the target's fingerprint and of course also the physical access to the device – make it dangerous only if carried out by someone who is very determined. and motivated by economic or espionage interests.
Before illustrating the researchers' work, let's take a small step back to summarize what happens in the authentication process of a fingerprint, which can actually be divided into two phases: the first is the scanning of the fingerprint, and the second the analysis that compares the fingerprint just scanned with that recorded in the system set-up phase. Some devices use firmware that operates directly in the sensor to perform the analysis and comparison operation, while others rely entirely on the operating system. Windows Hello integrated in Windows 10, for example, it performs comparison analysis from the operating system, based on Microsoft's Biometric Devices Design Guide.
As far as the scanning of the impression is concerned, however, this can be performed by three types of sensors. Those capacitive they use electrical conduction to read the shape of the footprints based on the fact that only the crests touch the sensor, the sensors optical through a prism they read the image of a fingerprint using a light source that illuminates the crests in contact with the reader, and finally the sensors to ultrasound they emit an ultrasound pulse that generates different echoes between ridges and valleys and which are then recorded by the sensor itself.
Profession: hunter and fingerprint counterfeiter
Having clarified this, let's move on to the work of the researchers who have established it three different techniques to capture the fingerprint of a hypothetical target. The first is the direct "collection", which presupposes imprinting the target's fingerprint on a small cube of plasticine. In this way a "negative" is obtained which allows quite easily to make a copy of the original impression. The second technique instead requires the target to press a finger on a fingerprint reader, such as the one used in airports for example, to capture a bitmap image of the fingerprint. The latest technique of capturing an impression left on a glass or other surface by taking a photo.
The images of the fingerprints collected through a reader or a photograph need some small optimization work so that they can also be suitable for the next steps. In the case of the fingerprint reader, however, it will be necessary to perform multiple readings, to be merged together to create a sufficiently large image from which to make a realistic digital impression. For the fingerprints photographed, however, it is necessary to proceed with a graphic elaboration designed to increase the contrast. In both cases, the researchers then used digital sculpting tools, such as ZBrush, to create a three-dimensional model based on the two-dimensional image.
Once the three-dimensional model is obtained, it is used to create a mold: two 3D printers with a resolution of 25 and 50 microns were used to make it: the first, obviously more accurate, takes an hour to make a single mold. The second takes about half the time, but less precise. It is important that the dimensions are very precise: a variation in excess or in defect of even 1% would not allow the impression to be recognized as correct. This peculiarity imposes a rather complicated process because the mold must be treated to give it rigidity and remove unwanted elements, and the treatment usually causes a contraction of the mold itself.
To make the actual impression, the molds are filled with silicone or with special glues and, in order for the "clone" to be used with the capacitive sensors, aluminum powder and graphite are also mixed to increase electrical conductivity. Once the researchers finally created an artificial fingerprint, they tested it on the different sensors to check if it is recognized as congruous with that recorded to unlock the device.
Windows 10 beats everyone: no artificial footprint deceives him
After numerous tests, therefore, the researchers managed to establish a fairly varied case history, with even rather high success rates. Among the tested devices, the ones that most easily showed the side of the researchers' attempts were the AiCase smart lock and Huawei Honor 7x and Samsung Note 9 phones: all of these were misled in all attempts. With a success rate of over 90%, iPhone 8, MacBook Pro 2018 and Samsung S10 were deceived. Five models of laptops with Windows 10 and two USB drives appeared inviolable (Verbatim Fingerprint Secure and Lexar Jumpdrive F35) which did not bend to any attempt.
The reason why the best results of this test were obtained with Windows 10 devices to be found, according to the researchers, in the fact that the comparison algorithms of all these systems are in the operating system, and for this reason the results have been the same on all platforms. However, the researchers warned that this does not necessarily mean that Windows 10 devices and USB drivers are safer than others: "With greater economic availability, more resources and a dedicated team it is possible to bypass these systems too". One of the tested products – Samsung Galaxy A70 – also recorded a success rate of 0%, but the researchers attributed this result to the difficulty of the device to recognize even the real fingerprints.
"This success rate indicates that we have a very high probability of being able to unlock any device of those tested before they ask us to unlock by PIN. The results show that fingerprints are adequate enough to protect the privacy of the average citizen if they were to lose his phone. But in the event that a person represents a sensitive target of a well-funded and well-motivated threat actor then it would be advisable not to use this method of authentication "comment the researchers Paul Rascagneres and Vitor Ventura of Talos.
And in the real world?
The fact that the greatest success rate was obtained with the digital impression made from a mold obtained through a block of plasticine, does not necessarily mean that this can be the most effective method in the case of real-world attacks, since it requires that the opponent somehow forces the target to press his finger against a piece of plasticine. On the other hand, it is simpler to be able to obtain fingerprints from readers or by photographing surfaces it may be simpler: for high profile attackers it would be simple to be able to recover fingerprints from airport security checks, or to be able to have access to a glass or to another object touched by the target. Another possibility was the possible violation of a fingerprint database – which already happened in 2014 when 5.6 million sets of fingerprints were stolen by the US Office of Personnel Management.
"Direct collection is always the best option because you have a mold directly on the plasticine. The dimensions are correct and we don't need to use a 3D printer. It is the most efficient approach. The other two methods work, but predictably with a lower success rate, "the researchers note.
What should be considered, however, that the researchers managed to meet the requirements of the attack with a budget, however, quite low of just $ 2000. "Setting a relatively low budget was meant to outline a scenario that was as realistic as possible. We determined that if we can make an attack on a budget of $ 2,000, then a reasonably feasible undertaking. What we found that although the cost can be kept low, the process of making a really functional impression is very complex and time-consuming "specify the researchers.
The message that can be inferred from this experiment is not that fingerprint authentication isn't robust enough to rely on. In reverse: for most people and in most situations absolutely adequate to protect privacy and offer a good degree of security. It is in those moments when the risk grows temporarily that it is advisable to take advantage of other authentication methods and, in any case, always remember that fingerprint authentication is not entirely foolproof.
"Any technique for copying fingerprints extremely difficult, making fingerprints a viable method for 95% of the population. People who have a low risk profile and don't have to worry about high profile threat actors can rest assured. The rest could be exposed to risk and could consider using other precautionary measures, "the researchers write.
