Fingerprint scanners are a convenient method to access your phones and devices, but they are not secure. If you want security, you should stick to a long PIN, or better yet, a password (if possible). Cisco Talos researchers made this point when they broke into multiple devices using a resin 3D printer, software, and $ 2,000 glue.
Now, the purpose of the research is not to suggest that your neighbor could easily enter your device with a standard 3D printer and fingerprint powder. No, the Talos researchers fully admit that what they did was tedious work and would require a budget somewhere in the neighborhood of $ 2,000.
But, although it is not petty cash “your average Joe” and knowledge of Google, it is well within the realm of many budgets and capacities of law enforcement and government agencies.
To test the security of fingerprint authentication on your devices, the Talos team decided to maintain a relatively low budget. They then used three methods to collect fingerprints. First, they created molds using plasticine. Second, they digitally copied the fingerprints from a fingerprint sensor – in particular, the type you could use when going through customs or entering a business. And third, they took pictures of fingerprints on glass brushed with magnesium powder (similar to “dusting fingerprints).
The first method served as a control because it would create the most accurate fingerprint.
They then used software to combine if necessary and improve the fingerprint data from sensors or images and exported it to a 3D printer file. This allowed them to 3D print a resin mold (which required a specialized UV compatible printer) to create fingerprints. Researchers attempted to directly print the fingerprints in 3D, but that failed. Instead, 3D printed molds combined with textile glue did the trick.
With fake fingerprints at hand, Talos discovered that it could unlock mobile devices 80% of the time. They tested Apple, Samsung and Huawei devices and succeeded with each device, regardless of the type of fingerprint sensor used.
Laptops were another story. Windows Hello didn’t fall under the spell of fake fingerprints, but it tricked the Apple MacBook Pros. Likewise, the Verbatim and Lexar USB keys did not unlock for false fingerprints.
Yet the high success rate on smartphones is telling. This does not mean that it was easy; according to Talos, the margins of error are small. A fingerprint just 1% too large or too small will not be able to unlock devices, for example. And, due to the hardening process, getting a fake fingerprint that often worked took more than 50 molding attempts. Overall, Talos described the process as “difficult and tedious”.
But research shows that for an entity with time, patience, and a budget as low as $ 2,000, getting into your fingerprint-locked phone is entirely possible. If you don’t foresee a problem with this knowledge, features like TouchID still offer many conveniences. But for added security, switch to a PIN code.