Bypass biometric authentication using fingerprint photo, printer and glue
Researchers have shown that fingerprints can be cloned for biometric authentication for as little as $ 5 without using fancy or unusual tools.
Although fingerprint-based biometric authentication is generally considered to be superior to PINs and passwords in terms of security, the fact that fingerprints can be left in many public places makes it prone to abuse.
It has already been proven that there are ways to collect and use people’s fingerprints to trick even the most sophisticated sensors. However, these usually involve the use of niche tools such as DSLR cameras and high fidelity 3D printers.
If only there was an inexpensive way to retrieve these fingerprints and convert them into usable fingerprints, it would have a serious and negative impact on the security of this particular authentication method.
According to the team at Kraken Security Labs, there is a way to clone fingerprints using inexpensive materials, without any high-end tools involved at any stage of the process.
A printer and glue
As the team demonstrated, stealing the fingerprint involves photographing it with any modern smartphone and then generating the negative on photo manipulation software.
This basic editing step is sufficient to adequately tone the outlines of the stolen fingerprint and prepare it for the printing step, so that no high-resolution DSLR image is required.
For the printing stage, any laser printer that accepts acetate sheets would be suitable for the attack. Acetate is typically used for cards, stencils, and overlays, but it is ideal in this case because the laser printer can engrave it.
Once the print is complete, the synthetic imprint can form by applying wood glue to the print and allowing it to dry.
Through testing, the Kraken team found that the resulting fingerprint can trick cutting-edge fingerprint sensors such as the one used in the latest MacBook Pro.
“We were able to perform this well-known attack on the majority of devices our team had for testing. If this was a real attack, we would have had access to a wide range of sensitive information. “- Kraken
You shouldn’t rely on fingerprints alone
The Kraken findings don’t mean the end of fingerprints is near, but it’s a good reminder of why people shouldn’t treat them as just one layer of protection for their accounts.
Fingerprints are a convenient biometric authentication method, but when it comes to mission-critical applications, they should only be used as 2FA in conjunction with a strong password.
“A fingerprint should not be viewed as a secure alternative to a strong password. It makes your information – and, potentially, your crypto-assets – vulnerable to even the simplest attackers,” Kraken researchers explain.
As technology advances and low-cost consumer electronics become more capable of producing high-fidelity results, fingerprints will be even easier to clone.