At a given moment, countless people around the world are using their fingerprint to unlock their smartphones.
For some, it grants instant access to family photos or grocery lists. For others, like diplomats or corporate executives, more sensitive information is at stake. Now, findings released Wednesday provide the latest reminder that, even as mobile security tightens, outsiders are finding new ways to access user devices.
Researchers at Talos, Cisco’s threat intelligence arm, demonstrated how to use 3D printing and other methods to forge fingerprints and unlock eight models of devices ranging from the iPhone 8 and Samsung S10 smartphones to laptops and padlocks.
The research project was inspired by real-world breaches of fingerprint data. The results proved that, while biometric authentication is an effective way for most technology users to secure their data, determined attackers are capable of using the same security mechanism as an entry point, if they have the time, access and resources. (Talos did not point to any examples of successful attacks that have occurred outside of its testing environment.)
The forged fingerprints had a roughly 80% success rate in unlocking devices they were able to bypass at least once.
“At the end of the day…if you’re an Average Joe, you should use fingerprinting because it’s not that big of a problem,” said researcher Vitor Ventura.
But it’s a different story for those in possession of trade secrets or government communications. He advised those high profile targets to use strong passwords and a second factor of authentication to unlock data on their phones.
Ventura and his colleague, Paul Rascagneres had $2,000 to spend on the project. They reproduced their own fingerprints using a 3D printer, and then created “molds” of the prints using textile glue.
With a bigger budget and a better 3D printer, they say, they might have reproduced phone-unlocking fingerprints at scale.
Real-world exposures of fingerprint data bring urgency to the issue.
Last year, a database maintained by Suprema, a contractor used by British police and banks, exposed the fingerprints of more than 1 million people, the Guardian reported. The 2015 breach of the U.S. Office of Personnel Management compromised the fingerprints of 5.6 million current and former government employees. Such incidents offer spies a wealth of data to sift through and potentially exploit in future operations.
Other forms of biometric authentication aren’t immune to these issues. Google in October addressed a flaw in its facial recognition system that allowed a user to unlock a certain phone model with their eyes closed.
Ventura and Rascagneres shared their results with the device vendors. One simple recommendation: limit the number of authentication attempts allowed via fingerprints. Some vendors already do that, but the practice should be widespread, the Talos researchers say.
They worry that fingerprint security measures haven’t kept pace with emerging technologies like 3D printing.
“[Our] level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking,” Ventura and Rascagneres wrote in a paper.