Fingerprint biometrics for mobile devices perform badly in tests
Do you have something of immense value to lose from your phone, tablet, laptop or even from a locker protected by a biometric padlock? Think it is protected with fingerprint authentication?
You are probably wrong in the extreme unless, possibly, if you are using a device running Microsoft Corp.’s Windows Hello framework. Apple and Samsung owners have room for concern.
A pair of researchers with Cisco Systems Inc.’s Talos Intelligence Group, found that biometrics software running on market-leading consumer hardware often can be defeated — sometimes easily — with a couple thousand dollars, some patience, months of time and a decent 3D printer. They used a domestic ultra-violet LED model precise to 25 microns.
According to the project report, on average, the team achieved an approximately “80 percent success rate while using fake fingerprints, where the sensors were bypassed at least once.” The fingerprint biometrics on consumer mobile devices has evolved little since 2013, when Apple’s TouchID debuted, the report’s authors wrote.
What is more, researchers Paul Rascagneres and Vitor Ventura said that with enough money and motivation and the same decent printer, most mobile devices can be cracked. Their results point directly to the likelihood that a determined state-sponsored crime ring would be rewarded handsomely.
The Telos project had an intentionally low, $2,000 budget, looked at a multitude of fingerprint-cloning factors and involved Apple, Samsung, Huawei , Honor and Windows systems. An AICase padlock also was tested.
Over months of work, the researchers experimented with, among other things, three methods of collecting prints, each of which affected end results significantly. They also examined different ways to optimize scans to make printed molds. And, of course, the pair looked at a variety of both industrial and mundane materials for making the fingerprint clones.
Ultimately, they went through more than 50 printed molds before producing a successful resin oval. The best clone made from that mold was made using common fabric glue.
The device results were disconcerting, but not entirely so.
Hardware running Windows Hello did not crack because, the researchers theorized, Microsoft has created settings requiring more points of print comparison. The researchers wrote that they are confident the software would not withstand a determined effort.
Samsung’s A70 phone could not be broken into, either. However, the researchers said that the phone rejected the legitimate fingerprint more often than all of its competitors in the study. The other Samsung products — the S10 and Note 9 performed poorly.
Apple’s fifth-generation iPad held up far better than did the 2018 MacBook Pro and the iPhone 8 that were tested as well, but that is faint praise.
The Huawei P30 Lite phone and its corporate cousin the Honor 7X should not be trusted near a 3D printer, according to the report. In fact, the 7X performed worst overall among its peers.
The padlock by AICase performed in the middle, but no device did as well as it did when presented with a clone derived from a photograph of a fingerprint on glass, presumably obtained clandestinely.
A research team from Tencent’s X-Lab claimed late last year it could hack into nearly any Android or iOS device in roughly 20 minutes.