Researchers at Michigan State University have developed a clever hack that allows them to scan and then print a target user’s fingerprint and then use it to unlock a mobile phone via the fingerprint sensor.
The method uses an off-the-shelf inkjet printer equipped with some special cartridges with conductive ink to print the fingerprint image on special paper. That image is then used to unlock a target phone by applying it to the fingerprint sensor on the device. Those sensors rely on the fingerprint to identify the specific user, but also on conductivity to complete the circuit when the user’s finger is placed on the sensor.
There has been previous research on spoofing fingerprints to fool touch sensors on phones, specifically the iPhone 5S, the first mass-market phone to use a fingerprint sensor. That mechanism was bypassed within a fews days of its release when researchers in Germany were able to use a fingerprint taken from a glass surface and replay it on the phone after printing it with very thick toner on special paper.
The MSU researchers were able to improve upon the existing methods by reducing the amount of time it takes to create the spoofed fingerprint and making the process simpler.
“It is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits.”
“This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems, especially for mobile devices which are being increasingly used for unlocking the phone and for payment,” the MSU researchers wrote in their paper.
Biometrics such as fingerprint and voice recognition are becoming increasingly popular as secondary, and sometimes primary, forms of authentication. Because these identifiers are unique to each person, they are considered more secure and reliable for users than passwords, but researchers have found a variety of different methods for bypassing or hacking these mechanisms. A group at the University of Alabama at Birmingham published a method a few months ago for building a model of a user’s voice and using voice-morphing software to impersonate the target.
The method that the research at MSU developed involves using conductive silver ink cartridges from a Japanese manufacturer, along with a normal black ink cartridge. The researchers scanned a target user’s fingerprint at 300 DPI, then reversed the fingerprint horizontally and printed it on special glossy paper. The print could then be used to unlock the user’s phone. The researchers ran the experiment on a Samsung Galaxy S6 and a Huawei Honor 7 and found that it worked on both devices.
“Once the printed 2D fingerprints are ready, we can then use them for spoofing mobile phones. In our spoofing experiment, we selected Samsung Galaxy S6 and Huawei Hornor 7 phones as examples. We enrolled the left index finger of one of the authors and used the printed 2D fingerprint of this left index finger to unlock the fingerprint recognition systems in these phones,” the paper says.
The MSU researchers, Kai Cao and Anil K. Jain, said that their method doesn’t work on all mobile phones with fingerprint sensors, but it is a step forward from what’s been done before.
“As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice),” Cao and Jain said.
Image from Flickr stream of Kourepis Aris.