Biometric authentication, including facial recognition and fingerprint scanners, is increasingly common, but that doesn’t mean they are safe from hackers.
At the DEFCON virtual security conference on August 8, security researcher Yamila Levalle from Dreamlab Technologies outlined how she was able to bypass biometric authentication for a number of different types of fingerprint scanners. During her session, Levalle explained various methods of bypass including using a budget 3D printer, which yielded positive results.
“Biometrics is the science of establishing or determining an identity, based on the physical or behavioral traits of an individual,” Levalle explained. “Biometric systems are essentially pattern recognition systems that read as input biometric data, then extract the feature set from such data, and finally compare it with a template stored in a database.”
Attacks Against Biometric Systems
There are multiple types of attacks that are possible against biometric systems.
There are physical attacks against the sensors and there are presentation and spoofing attacks. Levalle noted that she was focused on the spoofing attacks: attempting to trick a system into believing a fraudulent fingerprint was in fact authentic.
Attacks against biometric systems are not hypothetical either and happen in the real world, which is what inspired Levalle to conduct her research. In her home country of Argentina, six employees of the Aerolineas Argentinas airline were caught in 2019 for falsifying work attendance. The airline employees allegedly used silicon fingerprints to check-in others that were not at work.
Tricking Fingerprint Scanners with 3D Printed Molds
Levalle explained that a fingerprint scanner doesn’t have to find the entire pattern of distinctive features in a human fingerprint in order to work. Rather, she noted it simply has to find a sufficient number of features and patterns that the two prints have in common.
As part of her research to see if it was possible to use a 3D printed fingerprint that can trick the majority of scanners, she said that a UV Resin type 3D printer is needed. For her research, she made use of the budget-friendly Anycubic Photon 3D printer, as it can print to a resolution of 25 microns. Levalle said that the human fingerprint ridges can have a height of between 20 to 60 microns.
The first step in her research was to lift the latent fingerprint with a digital camera that had macro image functionality. The image was then digitally enhanced with an open source python tool to optimize the fingerprint. The next step was to bring the image into a 3D modelling tool, like TinkerCAD, to create the actual model.
The hardest part of the process according to Levalle was configuring the fingerprint length and width to the same size as the original, which was no easy task since she didn’t have a digital microscope to take the measurements. Ultimately, after more than 10 tries, she was successful in 3D printing a fingerprint that could trick scanners.
“It’s not easy to duplicate the fingerprint, it takes time and experience, but it can be done,” she said.