It wasn't quick or simple, but researchers at Cisco Talos have managed to break into devices secured with biometric authentication.
New research published today by Paul Rascagneres and Vitor Ventura revealed that manufactured fingerprints, created using 3D printing technology and textile glue, can defeat fingerprint authentication on a variety of phones, laptops, and padlocks.
In a series of experiments, using different materials and restricted by differently sized budgets, researchers worked to trick capacitive, optical, and ultrasonic sensors.
"Our tests showed that—on average—we achieved an ~80 percent success rate while using the fake fingerprints, where the sensors were bypassed at least once," wrote researchers.
A 3D printer was used to create molds, then the fake fingerprints were cast onto materials that included silicon and fabric glue.
“It was not so easy," Rascagneres told Infosecurity Magazine. "It took me months and a liter of resin."
To carry out their experiments, the inventive researchers used the publicly available fingerprints of nefarious gangster Al Capone.
Craig Williams, director of Talos Outreach, told Infosecurity Magazine: “It was a bit surreal to realize the use of a technology that was around during the ‘Al Capone’ era still provides effective security for most users. It will be interesting to see as technologies evolve how things change.”
The fake fingerprints didn't work across all the devices tested. Researchers were unable to access the Samsung A70 phone, the Lexar Jumpdrive Fingerprint F35, or the Verbatim Fingerprint Secure USB-encrypted pen drive.
Researchers were able to crack into an iPhone 8, Samsung S10, Huawei P30 Lite, MacBook Pro 2018, iPad 5th Gen, Samsung Note 9, Honor 7X, and an AICase Padlock.
Given the expense, time, and effort it took to break into devices protected by fingerprint authentication, the researchers concluded that this security measure is adequate for the majority of the population.
They wrote: "For a regular user of fingerprint authentication, the advantages are obvious, and it should be used. However, if the user is a more high-profile or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication."