Hackers Are Using 3D Printers to Forge Fingerprints

Biometric authentication should definitely be a step up towards a reliable Identity and Access Management (IAM). The idea is that one can use a unique security token that no one else has. Perhaps the most common example of biometric authentication would be fingerprint authentication. Using your own fingerprint to access a device, you would save yourself the trouble of password management because you will no longer need to renew them and remember them. However, biometric authentication isn’t as safe as one would like it to be.

With the newest reports that 3D printers can create fingerprints, we learn that this branch of the IAM system isn't fail-proof either. Let us start from the very beginning and see how the fingerprint authentication can be bypassed by cyber criminals.

Fingerprint authentication hacked

Most of the newest smartphones come with the fingerprint authentication scanner. It clearly saves time when you need to access your device. All you have to do is place your finger at the fingerprint sensor, and you’re in – no need to swipe across complicated patterns or tap into PIN codes and so on. Consequently, fingerprint authentication gives the user an idea that only they can access their device. However, the latest developments in the cybercrime might mean that our devices might not be as safe as before, all thanks to 3D printing.

Around a month ago, blogger darkshark announced that he was able to bypass Samsung Galaxy S10 fingerprint authorization with a 3D print. This mobile device comes with an ultrasonic fingerprint scanner. According to the blogger, the most important thing is to get the fingerprint ridge height right and to mirror it, but if all the requirements are met, then the 3D print can easily unlock the phone.

Of course, for regular users this might seem like too much work, but what if someone really needs the data stored in a particular device? What if they were willing to go to great lengths to steal that data? If that were the case, 3D printed fingerprints could help criminals break into multiple devices protected with fingerprint authentication. And getting the actual fingerprint might be a lot easier than you think.

Let’s say your mobile phone or your laptop gets stolen. The only way to access the device (if you don’t know the password or the PIN code) is through fingerprint authentication. Now, where would cyber criminals get those fingerprints? They obviously can get them directly from the stolen device because it has user’s fingerprints all over.

According to darkshark, the entire process of taking the fingerprints off a device and starting a 3D printer may take less than 3 minutes. If we think about all the banking apps that require only a fingerprint authentication for access, it wouldn’t be too far-fetched to say that a criminal with a 3D printed fingerprint could spend all of your money through your mobile device in a matter of minutes. Luckily, we do not see actual 3D fingerprints on sale yet, but we can never know when this trend might pick up.

How does one 3D-print a fingerprint?

First, you definitely need a fingerprint, but there are several ways to get it. In darkshark’s case, the blogger used his phone to take a picture of his fingerprint on a wine glass. Now let’s stop here and think for a second, if a phone camera is enough to take a decent photo of a fingerprint, what an actual DSLR camera could do? The possibilities are wild.

Next, the blogger used simple software to create a 3D model of his fingerprint, and once the model was complete, he popped it into the 3D printing software and launched the printing process. As mentioned, it might have taken some time to get the ridge height right, but at the end of the day, the 3D-printed fingerprint worked.

What are the implications of a 3D-printed fingerprint?

The implications of this “success” clearly show that there are easy ways to bypass fingerprint authentication. This is a headache both: for users and for security specialists, who work with device creators to ensure the device and software security. However, if you want to do something to prevent 3D printed fingerprints from helping cybercriminals, you might want to employ several types of identity authentication.

For example, certain laptops and operating systems require users to use both passwords and personal PIN codes next to their fingerprints. Also, most of the phones switch into the passcode authentication if fingerprint authentication isn’t successful for several times in a row. Likewise, you should also consider using various types of authentication for different apps as well.

Multi-factor authentication is a good way to secure your accounts. If an app or a service offers this type of authentication, be sure to enable it. Of course, using fingerprint authentication alone might take less time to access a device or an app, but it leaves your device and your personal data vulnerable because there’s just one layer of security. Therefore, go through the offered security options and enable two-factor or multi-factor authentication if possible.

In the most extreme cases, you can set your mobile device to wipe out your data if someone unsuccessfully tries to access it. However, please be aware that you should enable such option ONLY when you have all of your data backed up on a virtual cloud drive. There is always a chance that you may not be able to access your device for various reasons, and so you might accidentally wipe out your data.

Finally, along with fingerprint authentication, you can also use passwords because it doesn’t look like they will disappear anytime soon. Although creating and managing passwords is a tedious affair, you can always employ a free password manager tool to help you with that. Information is the hottest commodity in the Internet era, and you have to do everything you can to protect your personal data. This never-ending war against cybercriminals and data thieves requires a joint effort, but at least be sure that you have done everything to secure your device.

May 10, 2019

Leave a Reply