7 ways to beat fingerprint biometrics

Apple's embrace of finger scanning technology in the iPhone could be a breakthrough moment for biometrics. But finger scanners are no panacea. Here are 7 ways hackers have figured out to fool them.

Biometric scanning
Credit: iStockphoto
7 ways to beat fingerprint biometrics

Apple dropped $356 million to buy the biometric security firm Authentec back in July, 2012. So nobody was surprised when the latest version of the iPhone, Apple's 5S, introduced finger scanning technology to replace traditional alphanumeric passwords. Use of the technology is still limited but wide adoption of the fingerprint scanning technology could be a breakthrough moment for biometrics: giving the broad public its first real taste of biometrics and (maybe) heralding the end of typed passwords. Or not. The truth is that fingerprint scanning technology, tools and implementations vary widely. Despite vendor claims, there's a long history of hackers fooling the devices with surprisingly simple hacks. Here are some ways hackers have figured out to fool them.

Rubber cement
Rubber cement or Silicon Gel

Rubber cement of the kind you probably used in elementary school art class is one of the most reliable ways to make a copy of a finger print. Doing so typically requires the cooperation of the print owner. But, presuming you have that, simply make a plaster cast of the finger using modeling wax and plaster of paris to capture the print in a thimble shaped mold. Rubber cement or liquid silicon in then pressed into the mold using a pestle to create a thin, counterfeit print that can be slipped over the finger. 

Gummi finger
Gelatin (aka Gummi finger)

Say you make your false finger using Silicon Gel and it works. You fool the fingerprint scanner and get access. What then? Possession of the fake, silicon fingerprint might be incriminating. It turns out that consumable gelatin of the type used to make Gummi Bears is an excellent medium for forging fingerprints and fooling fingerprint readers. The gelatin has many of the same conductive properties as human skin and can fool more sophisticated readers designed to sniff out inorganic "fingers." Researchers lat Yokohama National University conducted a series of tests designed to fool biometric readers over a decade ago. In a paper published in 2002, the researchers found that gelatin (or "Gummi") fingers were successful around 80% of the time.

Masking tape
Credit: Flickr/Debby
Tape

There are no good products, only good deployments. That's the lesson from Japan where, in 2009, a fingerprint scanner used to screen would-be immigrants failed to detect a South Korean woman who used a fingerprint image on a simple piece of masking tape to gain admission to the country. The woman had previously been deported and should have been denied entry. 

Fingerprint
A photocopy

As we said – finger scanners come in all shapes and sizes, with widely varying levels of sophistication, ranging from simple pattern matching sensors to more sophisticated capacitive sensors designed to weed out living from inorganic material, as well as optical and ultrasound sensors. At the low end (pattern matching) finger scanners have proven easy to fool, as the producers of the show Myth Busters encountered when they used a simple photocopy of a registered fingerprint to fool a scanner-enabled door lock.  

Dead vs alive?
Cadaver finger

One of the most straightforward ways to fool a fingerprint scanner is, of course, with an actual finger.  Gory as it sounds, researchers at Clarkson University used fingers from 14 cadavers to test the ability of fingerprint scanners to spot living versus "undead" prints. After enrolling the 14 cadavers in the print scanning system, the researchers were able to successfully authenticate them using the finger. Their conclusion: finger scanners of many different types fail to detect "liveness" in the print. The problem is easily solved, however. The Clarkson researchers developed a simple, software-based cross checks to measure perspiration patterns between two separate finger scans as a test of "liveness" – tests that the cadaver failed. 

Printed circuit board
Printed circuit board

One of the biggest challenges for those who want to fool fingerprint readers is obtaining the print from an unwilling donor, and turning that two dimensional print into a three dimensional mold. Researchers at Yokohama National University show how to make use of printed circuit boards (PCB). After lifting the print (from a glass or other object), the researchers enhanced it using an adhesive spray, then photographed the print using a digital camera. The print was cleaned using the Photoshop digital editing program and printed onto a transparency. The researchers then used the transparency to etch the print into the copper of a photo-sensitive PCB. That three dimensional copper etching was then used to make a gelatin (aka Gummi) finger mold. 

Fingerprint
Credit: Flickr/CPOA
Software-based attacks

As attractive as the notion of Gummi Fingers is, attacking the software running the scanner is at least as promising a technique as making a fake finger. That was the approach taken by researchers at IBM, who looked at a variety of ways to fool print readers by attacking the software that runs them. Among the options they tried were so-called "brute force" attack in which the researchers studied the likelihood that attackers could use a set of fraudulent fingerprint minutiae to matching a (legitimate) stored fingerprint template, as well as 'man in the middle' and replay attacks that use malicious software to manipulate the data received by the scanner.