Broken Biometrics: Fingerprint Readers Spoofed ‘80% of the Time’

Researchers managed to defeat many fingerprint sensors on portable devices. Given that a quick scan of your dabs is all it takes to access your secrets, that’s extremely worrying.

Should we stop using them? The researchers argue it’s OK to carry on, unless you’re at risk from hackers with deep pockets.

But is that fair? In today’s SB Blogwatch, we wonder how long it’ll take to scale up and fall in price.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: ugly towers.


Can’t Touch This

What’s the craic? Lily Hay Newman reports—“A Cheap 3D Printer Can Trick Smartphone Fingerprint Locks”:

 New research shows that the equipment needed to reliably spoof fingerprints and break into devices has gotten dramatically cheaper.

To make the molds, the researchers used a relatively inexpensive ultraviolet 3D printer that cures the resin it extrudes with UV light. Then they tested a number of materials … for casting the final dummy prints.

And Dan Goodin adds—“Attackers can bypass fingerprint authentication”:

 Although hackers managed to defeat TouchID with a fake fingerprint [on] the iPhone 5S, fingerprint-based authentication over the past few years has become much harder to defeat. Today, fingerprints are widely accepted as [safe] in many, but not all, contexts.

Researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: On average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

For most people in most settings, [fingerprint authentication is] perfectly fine. … At the same time, users should remember that fingerprint authentication is hardly infallible.

Who did all this tedious work? Paul Rascagneres and Vitor Ventura rhetorically ask, “Myth or reality?”:

 Biometric authentication seems the perfect solution. … Everyone’s fingerprints are unique, and it is commonly accepted that they can identify a person without being reproduced.

Reaching this success rate was difficult and tedious work. … The creation process is time-consuming and complex. … However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.

Feeling a touch of déjà vu? Lindsey O’Donnell Welch remembers—“‘Fake Fingerprints’ Bypass Scanners”:

 There have been security issues [before] with these fingerprint sensor glitches. … Back in October, there was the whole fiasco with Samsung, where a couple users reported that anyone could bypass the Galaxy S10 fingerprint sensor if a third party silicon case was enclosing the phone.

But nothing for normal people to worry about, eh? BAReFO0t treads CAReFUl1y: [You’re fired—Ed.]

 They say “painstakingly”, yet it cost them only $2000. And now that the basic research is done, duration and cost will have come down a lot.

I figure any layperson could do it for a fraction of the price, if they … read the full report.

And fuzzyfuzzyfungus tentatively agrees:

 Everything is expensive if done at benchtop scale by skilled operators using either low volume equipment or heavily underutilized equipment. [But] some things scale up relatively readily [and] escape the need for a skilled operator.

So why not just use a PIN or password? close04 but no banana05:

 The fingerprint is not there because it’s better than the PIN but because it’s better than nothing, it makes people want to use such a protection. Before biometric sensors, almost nobody bothered to set a PIN.

Few people want to type a PIN every time they unlock the phone—especially if in clear view of others. Biometrics just made security convenient enough to use.

Meanwhile, here’s Bill Herrin:

 I’m pretty sure anyone willing to cut my finger off is going to succeed at getting me to reveal my password.

And Finally:

Nice lockdown/in-place project for home-theater audiophiles

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Rich Anderson (cc:by-sa)

Richi Jennings

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 170 posts and counting.See all posts by richi