Attackers can bypass fingerprint authentication with an ~80% success rate

Antus67

Level 9
Thread author
Verified
Well-known
Nov 3, 2019
413
Fingerprint-based authentication is fine for most people, but it's hardly foolproof.
For decades, the use of fingerprints to authenticate users to computers, networks, and restricted areas was mostly limited to large and well-resourced organizations that used specialized and expensive equipment. That all changed in 2013 when Apple introduced TouchID. Within a few years, fingerprint-based validation became available to the masses as computer, phone, and lock manufacturers added sensors that gave users an alternative to passwords when unlocking the devices.

Although hackers managed to defeat TouchID with a fake fingerprint less than 48 hours after the technology was rolled out in the iPhone 5, fingerprint-based authentication over the past few years has become much harder to defeat. Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.


A very high probability
A study published on Wednesday by Cisco’s Talos security group makes clear that the alternative isn’t suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. The results may not be fully applicable to Apple products since they limit users to five attempts before asking for the PIN or password. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries.

Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obtaining a clean image of a target’s fingerprint and then getting physical access to the target’s device—meant that only the most determined and capable adversaries would succeed.

“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking," Talos researchers Paul Rascagneres and Vitor Ventura wrote. “The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

The devices that were the most susceptible to fake fingerprints were the AICase padlock and Huawei’s Honor 7x and Samsung’s Note 9 Android phones, all of which were bypassed 100 percent of the time. Fingerprint authentication in the iPhone 8, MacBook Pro 2018, and the Samsung S10 came next, where the success rate was more than 90 percent. Five laptop models running Windows 10 and two USB drives—the Verbatim Fingerprint Secure and the Lexar Jumpdrive F35—performed the best, with researchers achieving a 0-percent success rate.

The chart below summarizes the results:

1586352221339.png

Defeating fingerprint authentication: A how-to
There are two steps to fingerprint authentication: capturing, in which a sensor generates an image of the fingerprint, and analysis that compares the imputted fingerprint to the fingerprint that’s enrolled. Some devices use firmware that runs on the sensor to perform the comparison while others rely on the operating system. Windows Hello included in Windows 10, for example, performs the comparison from the OS using Microsoft’s Biometric Devices Design Guide.

There are three types of sensors. Capacitive sensors use a finger’s natural electrical conductivity to read prints, as ridges touch the reader while valleys do not. Optical sensors read the image of a fingerprint by using a light source that illuminates ridges in contact with the reader and reads them through a prism. Ultrasonic sensors emit an ultrasonic pulse that generates an echo that’s read by the sensor, with ridges and valleys registering different signatures.

The researchers devised three techniques for collecting the fingerprint of a target. The first is direct collection, which involves a target pressing a finger on a brand of clay known as Plastiline. With that, the attacker obtains a negative of the fingerprint. The second technique is to have the target press a finger onto a fingerprint reader, such as the kind that’s used at airports, banks, and border crossings. The reader would then capture a bitmap image of the print. The third is to capture a print on a drinking glass or other transparent surface and take a photograph of it.

After the print is collected using the print reader or photo methods, certain optimizations are often required. For prints recorded on a fingerprint reader, for instance, multiple images had to be merged together to create a single image that was large enough to pass for a real fingerprint. Below is an example of the process, performed on fingerprints the FBI obtained from prohibition-era gangster Al Capone.

1586352316718.png
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
“Biometrics are not an Achilles heel,” Craig Williams, director of Cisco Talos Outreach, told Threatpost. “Biometrics are something that makes it very, very easy to use. You don’t have to remember a password. You don’t have to enter a password, which makes it very fast and easy. You don’t have to carry anything around with you. And so I think for most users, it’s still perfectly fine.”

Full interview in the Threatpost podcast, download direct here.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
I’m shocked that Windows 10 Hello accepts biometric unlock on cold boot. There’s a reason why so many devices only accept biometrics as a “warm unlock” where it’s been proven that the owner has actively used the device recently. One can argue that typing your actual password or passcode in a public setting is dangerous too due to how common 4K security cameras have become.... a biometric device cannot be unlocked after a certain number of attempts but a password that was previously captured will always be good.

OTOH you can change your password but you can never change your face or fingerprint so there’s definitely trade offs. But looking around at my family, 90% of their passcodes are either their birthdays or some simple pattern. I would say if you can convince people to use longer pass phrases in exchange for a convenient unlock via biometrics, that’s a net win. Anyone with a $50 spy camera off amazon can have great luck capturing passwords. It takes much more determination to clone fingerprints and infrared facial images.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
It's no problem that windows hello accept biometric unlock on cold boot, if Bitlocker start before
What’s the connection there? By default BitLocker allows the TPM and trusted measurements of the OS to unlock the volume.


EDIT:
At least on my Dell XPS and my Surface Pro 7, as an attacker I can just boot the system, it automatically unlocks BitLocker all the way to the Windows login prompt. From there I can unlock with a Gummy Bear finger or with a short passcode or with my face, and then copy all the data off the machine once it's logged in.
 
Last edited:
F

ForgottenSeer 85179

What’s the connection there? By default BitLocker allows the TPM and trusted measurements of the OS to unlock the volume.


EDIT:
At least on my Dell XPS and my Surface Pro 7, as an attacker I can just boot the system, it automatically unlocks BitLocker all the way to the Windows login prompt. From there I can unlock with a Gummy Bear finger or with a short passcode or with my face, and then copy all the data off the machine once it's logged in.
You need to config Bitlocker using a pin/ Passwort instead of only TPM ;)

Using TPM only doesn't make sense for security. A thief can start your PC this way too and that's where encryption protect against
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
You need to config Bitlocker using a pin/ Passwort instead of only TPM ;)

Using TPM only doesn't make sense for security. A thief can start your PC this way too and that's where encryption protect against
I totally agree. That’s the part I was missing — sure if you configure a PIN/password it kind of substitutes the windows login dialog.
TPM-only still gives you some protection — nobody can just steal your SSD and if your pre login environment is trustable it prevents access to your files, and changing the secure boot chain (like injecting a boot loader rootkit) would lead to requiring the BitLocker recovery key.
 
F

ForgottenSeer 85179

TPM-only still gives you some protection — nobody can just steal your SSD and if your pre login environment is trustable it prevents access to your files, and changing the secure boot chain (like injecting a boot loader rootkit) would lead to requiring the BitLocker recovery key.
Sure but why should the thief steal only the SSD if he can steal the whole PC?
The attacker know about such protections so they wouldn't take the risk and also it would need to much time.

Of course laptops are at higher risk then a heavy desktop PC.
That's why I recommend using a BIOS password for HDD/ SSD boot. It can be easy and attacker can reset bios on Mainboard (same for other BIOS passwords) but it need more time & knowledge from him to do that.
And in my opinion we should make it as hard as possible
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Sure but why should the thief steal only the SSD if he can steal the whole PC?
The attacker know about such protections so they wouldn't take the risk and also it would need to much time.

Of course laptops are at higher risk then a heavy desktop PC.
That's why I recommend using a BIOS password for HDD/ SSD boot. It can be easy and attacker can reset bios on Mainboard (same for other BIOS passwords) but it need more time & knowledge from him to do that.
And in my opinion we should make it as hard as possible

Yeah I totally understand :) I've spent 10+ years developing trusted boot and hardware entangled encryption designs similar to BitLocker. Without a doubt having a user-controlled secret is the best, all I'm saying is that if you have a system where you can establish trust in the early boot process before logging in, you can still gain a lot of benefit from a full disk encryption system that unlocks automatically via a platform level secret like a TPM.

I think the biggest weakness with BitLocker is that it doesn't have enough separation between system-wise, per-user, per-file, and similar granularity.
 

Tiamati

Level 12
Verified
Top Poster
Well-known
Nov 8, 2016
574
Capacitive sensors use a finger’s natural electrical conductivity to read prints, as ridges touch the reader while valleys do not. Optical sensors read the image of a fingerprint by using a light source that illuminates ridges in contact with the reader and reads them through a prism. Ultrasonic sensors emit an ultrasonic pulse that generates an echo that’s read by the sensor, with ridges and valleys registering different signatures.

i wonder which one would be the most secure :unsure:
 
  • Like
Reactions: Protomartyr

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
i wonder which one would be the most secure :unsure:
Optical tends to be the least secure, as the sensor has a more difficult time telling the difference between a 2D fake and your actual finger.

For ultrasonic and capacitative sensors, both at least guard against the simple "lift your fingerprint and run it through a photocopier" attack, but with enough gelatin and determination, one can make something that looks both electrically and physically similar to a fingerprint.

Remember too that we all expect these things to unlock our phones when our hands are clammy, covered with lotion, recently washed and still damp, etc etc etc..... The average user is more likely to be dissatisfied if the reader rejects their print rather than accepting a gummy bear.

I honestly don't think it's a good use of time to try to make this much more secure. Just like how professional mask-makers can make extremely convincing silicone disguises, professional finger-makers are going to be able to make some very convincing fake thumbs. That's simply an inherent weakness of this kind of biometric authentication.

The way we add security is generally by introducing more factors of authentication, particularly ones that cannot be pried out of us phyiscally (e.g. passwords).

Of course....
1586546515117.png
 

Tiamati

Level 12
Verified
Top Poster
Well-known
Nov 8, 2016
574
Optical tends to be the least secure, as the sensor has a more difficult time telling the difference between a 2D fake and your actual finger.

For ultrasonic and capacitative sensors, both at least guard against the simple "lift your fingerprint and run it through a photocopier" attack, but with enough gelatin and determination, one can make something that looks both electrically and physically similar to a fingerprint.

Remember too that we all expect these things to unlock our phones when our hands are clammy, covered with lotion, recently washed and still damp, etc etc etc..... The average user is more likely to be dissatisfied if the reader rejects their print rather than accepting a gummy bear.

I honestly don't think it's a good use of time to try to make this much more secure. Just like how professional mask-makers can make extremely convincing silicone disguises, professional finger-makers are going to be able to make some very convincing fake thumbs. That's simply an inherent weakness of this kind of biometric authentication.

The way we add security is generally by introducing more factors of authentication, particularly ones that cannot be pried out of us phyiscally (e.g. passwords).

Of course....
View attachment 236775

Ty!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top