Hackers can bypass fingerprint security 80% of the time
By Staff reporter | 10 Apr 2020 at 19:08hrs
Tests by Cisco's Talos Intelligence Group have found that fingerprint recognition systems could be bypassed in at least 80% of cases using fake fingerprints.
This means that those wanting to protect themselves against well-funded actors should not rely on fingerprint authentication, Talos said.
Talos said people should see fingerprint security technology in a similar way to a home security system.
"If you want it to stop secret agencies from spying on your house, it won't work. But if you want to stop petty crime, it's good enough," said Talos.
Likewise, "for a regular user, fingerprint authentication the advantages are obvious and should be used".
"However, if the user is a more high-profile user or their device contains sensitive information, we recommend relying more on strong passwords and token two-factor authentication," said Talos.
Creating fake fingerprints
Talos outlined three methods it used to create these fingerprints.
Direct collection - Use the real finger to create a mould of the fingerprint. Fingerprint sensor - Attaining a bitmap image from a fingerprint reader. Third-party
- Taking a picture of a fingerprint on glass, and using graphite powder
with a brush to increase the contrast on the fingerprint ridges.
Talos tested a variety of smartphones, as well as laptops, a smart padlock, and two USB-encrypted portable drives that use fingerprint security.
The easiest smartphones to spoof across all three methods included the Honor 7X, the Samsung S10, and the Samsung Note 9.
The Samsung A70 could not be spoofed; however, Talos highlighted that even with the real fingerprint, the authentication rate was very low.
Talos said that mobile phone fingerprint authentication has actually weakened compared to when it was first made available in 2013.
Talos found it could not break into Windows 10 devices because of the Windows Hello framework.
In contrast, the same cloned fingerprint was tested on the MacBook Pro and it had a 95% success rate.
"The reason for the better and recurrent results from the Windows platforms is the fact that on all platforms the comparison algorithm resides on the OS, thus is shared among all platforms," Talos explained.
The portable drives were also well protected by their fingerprint technology as all attempts to spoof a fingerprint failed.
However, the padlock was not particularly well protected and was bypassable at a similar rate to the smartphones.
A table outlining the results of these tests is below.
The orange bars indicate the direct collection method, the blue lines show the image sensor method, while the yellow bars are for the third-party method.