New research has found that it’s possible to use 3D printing technology to create “fake fingerprints” that can bypass most fingerprint scanners used by popular devices. But, creating the attack remains costly and time-consuming.

Researchers with Cisco Talos created different threat models that use 3D printing technology, and then tested them on mobile devices (including the iPhone 8 and Samsung S10), laptops (including the Samsung Note 9, Lenovo Yoga and HP Pavilion X360) and smart devices (such as a smart padlock).

The fake fingerprints achieved an 80 percent success rate on average, where the sensors were bypassed at least once. Researchers did not have success in defeating biometrics systems in place on Microsoft Windows 10 devices (though they said that this does not mean they are not necessarily safer; just that this particular approach did not work).

However, the bigger takeaway is the sheer amount of time and budget that it still takes when creating threat models to bypass fingerprint sensors. At the end of the day, researchers said they had to create more than 50 molds and test them manually, which took months – and, they struggled to stay under a self-imposed budget of $2,000. These challenges point to the fact that a scalable, easy type of attack is not yet possible for bypassing biometrics.

“Biometrics are not an Achilles heel,” Craig Williams, director of Cisco Talos Outreach, told Threatpost. “Biometrics are something that makes it very, very easy to use. You don’t have to remember a password. You don’t have to enter a password, which makes it very fast and easy. You don’t have to carry anything around with you. And so I think for most users, it’s still perfectly fine.”

Listen to the full interview in the Threatpost podcast, below, or download direct here.

Below is a lightly edited transcript of the podcast.

Lindsey O’Donnell Welch: Hello, everyone, this is Lindsey O’Donnell Welch with Threatpost, and welcome back to the Threatpost podcast. Today we’re going to be discussing some new research about fingerprint scanners on phones and computers. Cisco Talos today came out with some new research regarding how these scanners can be defeated using different technologies like 3D printing, and basically looking at fingerprint scanners and the security behind them in general. So joining me today is Craig Williams, director of Cisco Talos outreach, to discuss this latest research. Craig, thanks so much for joining me today on the podcast.

Craig Williams: No problem. It’s a pleasure to be here.

LO: Let’s just take a step back for a second and kind of give some context here. Can you talk a little bit about fingerprint scanners on mobile devices and really set the context on the current state of fingerprint scanning and how prevalent this type of scanning is right now?

CW: Absolutely. So one of the problems security people have always had since the advent of the password is, how do we make it easy for users? And I’m sure everyone’s aware of all the jokes over the years of, you know, like passwords, like Hunter2 being typed in by users. And that’s a real problem, right? Password reuse is constant. People share them inappropriately, they write them down. And so as security people, we’re always looking for new technologies and new systems to make it easier for users to authenticate. And years and years and years ago, people started looking at biometrics. And I think it’s safe to say that Apple was the first company that really made biometric security broad and available for the masses through their mobile devices. And I think it was a great success. Everyone knows how to use it. Everyone’s aware of it now. A lot of people still use it today. And I think for most users, it’s great.

LO: Yeah, well, and I think that’s very important to note. And then at the same time, there have been security issues with these fingerprint sensor glitches. I don’t know if you remember back in October, there was the whole fiasco with Samsung, where a couple users reported that anyone could bypass the Galaxy S10 fingerprint sensor if a third party silicon case was enclosing the phone. And so, you know, that was the whole thing. And Samsung ended up having to roll out a fix. So I think that brings up kind of the question, how secure are is this fingerprint scanning? And that kind of brings us to your research. Can you talk a little bit about, first of all the main goals of the research here in looking at the different threat models?

CW: Absolutely. So you know, I think one of the things to remember is that up until recently, current events, thinking of a threat model wasn’t something a normal user did. You know now, everyone, I mean, they may not be aware of the term threat model, but everyone when they go out in public thinks about what am I going to touch? Do I need gloves? Should I bring a mask or should I use hand sanitizer and they think about the threats are being posed to them today and how do I mitigate them? That’s not always something that users think about. And so when we started looking into fingerprint security, we had heard a lot of fear and uncertainty and doubt about fingerprint based authentication. And what we wondered was, well, most of these studies don’t really have public information. So could we do one, under say, a reasonable budget, and give users an idea of what the actual risk is? And clearly define it and define what’s possible? And then help users understand what does that pose to their business? And what steps do they need to take to protect themselves? And that was really the origin story of this type of research.

LO: Right and I like that you had highlighted the budget aspect of this because I do think that is something where, if you’re looking at these types of attacks, it’s really important to note, can this be something that is just carried out by an everyday user versus a sophisticated threat actor, or whatnot. And can this also be done at a scalable level? And so what were some of the main takeaways from the research?

CW: Well, some of the main takeaways from the research is that vendors really had to make that fundamental choice that every security technology has to make. Right? And that that choice is really ease of use. Right? And this goes back to the very first passwords when people were designing the password system, is how do you make it something that’s both secure, and something that’s easy for users to use? Now, obviously, in the case of passwords, if you allow people to use single short words like cat, dog, love, hate, whatever, we can go through the list from hackers, it’s very easy for users to remember but unfortunately, it’s also very easy to guess. And so that’s really where fingerprint based authentication comes into play. Because it kind of gets both worlds, it makes it secure, and it makes it easy to use. And so when we started diving down this, what we discovered was that, there are a couple of scenarios we wanted to investigate. And I think the most common ones that most people would understand is, well, someone’s got to get the fingerprint. And so we defined three scenarios where that might happen. I think the most common one was someone providing it willingly, like, let’s say, you go through a security checkpoint or into a building or whatever, or somebody swaps out your phone with theirs, and you know, you’ve scanned your fingerprint. The next one was something a little bit, you know, more sneaky, you lift it off of something that someone touched. And then I think the other one was basically, like if somebody took a picture of your thumb – which, as a hilarious side story, my colleague, one of the researchers, Paul and I were working one day, and Paul is huge into 3D printing. And so naturally, he’s cranking out masks for hospitals right now and face shields and all the equipment. And so he burns his hand. And, of course, I’m doing similar things and I burn mine, and in an attempt to show some sort of like moral support, I’m like,” Ah, look, Paul, I burned my finger.” And I realize I’m about to send the guy doing our fingerprint research, a picture of my fingerprint.

LO: Oh, man.

CW: Yeah. So it happens easier than you think. Right? There are scenarios you put yourself in where you’re actually leaving behind little bits of authentication. And this is really the downside of biometrics, right? Biometrics are very easy to use. But unlike a password, you know, most users don’t write their password down everywhere. But people do leave biometric things around all the time. You know, you look at stuff you leave retinal prints, right? You look at a camera that could get a scan of it, you leave your fingerprints all over the place.

LO: Right and and like a password, you can’t change your fingerprint. So talk a little bit more about the creation of the threat models that you guys had put together as well is kind of what models and different types of sensor technology we’re looking at.

CW: Well, so the sensor technology did have some interesting things when we did the research, right, we looked at capacitive type fingerprints, we looked at ones that use optical scanners, and they all pose their own unique difficulties and challenges. And in the paper, we go through how we address those and the different scenarios we went in. But basically, we were able to collect the print using the three methods I mentioned earlier. And then we were able to, through a very detailed trial and error model we go through in the paper, iterate through different ways of actually producing a mold to make the print and that was really how we got past the capacitance issue. As it turns out, if you use plasticine, and you put it over your fingerprint very much like some of the stuff we’ve seen in the movies like “Mission Impossible,” it is possible to make it work fairly reliably on most vendors and actually use a fake print laying over your print. So that part of the movies is actually true. That was a little bit surprising for me.

LO: Yeah, that is surprising. I mean, it seems like that is such maybe not simple but such an easy thing to be able to carry out. Is that what you guys found?

CW: Well, so not exactly the answer’s a little surprising. So let’s first cover the “why this is possible,” right? Because I’m sure if people had known about this 10 years ago, fingerprint based biometrics may not have looked like that, you know, good of a choice. But the reality is the advances we’ve made in 3D printing over the last few years have been immense. And when you look at it, you know, current home devices that are available for a relatively small amount of money, are capable of printing down to .1 microns. And the reality is the ridges on your fingerprint, are many, many times that, I think they’re around 400, 500 microns, and so on. When you think about it, you’re actually capable of producing something that is more detailed than a fingerprint very easily in theory, and that’s got footnotes and highlight all over it. The reality ended up being for the technology that we were using which again, we self imposed the $2,000 budget. It is currently very difficult to produce and achieve usable molds. The amount of time it took us to carry out this type of activity was significantly longer than we expected. It was a matter of, dozens and dozens and dozens of hours to produce usable molds and prints. And so this is not something that someone could do quickly unless they were going to dump an immense amount of money into it. You know, this isn’t something that could happen if you handed your phone over to a third party to hold for 20 minutes. It’s something that you would need a long amount of time to produce the print and then actually try it and use it. Now, of course, if that attacker had cloned your print earlier that might open you up to new avenues of attack.

But I think the really important takeaway for this, and this is, hopefully I’m not getting too far ahead of myself. The really important takeaway of this was that this type of attack scenario is viable. We can caveat it with all the footnotes that we want, but it is viable. It is possible with equipment you can buy the store that you can put together in your house. But it is not easy. It requires a significant amount of expertise and a significant investment of time and resources to get right. And a significant amount of trial and error. That said, when you do all that you can produce prints that will fool most fingerprint based authentication systems.

LO: Right. Yeah. Can you speak a little more to kind of the challenges? I know you mentioned the vast amount of time it took but then also, how difficult was it to stay within the budgetary restrictions that you guys self imposed, and I guess a follow up question for that would be, you know, where was the majority of the expenses coming from?

CW: I think the majority of the initial investment was really the 3D printer itself, a printer that uses the the resin, which is the system we chose, because it’s a little bit more detailed and better suited for these type of activities. So about I don’t know, let’s say $1,000 for a good printer, and then you’ve got to buy a wash station to cure it. And so that right there is the vast majority of your $2,000 budget. And then of course, you have a lot of the material for your trial and error.

LO: Right, right. And, can you talk also about the platforms that you were testing on? I know you guys were looking on mobile devices, as well as laptops and even then you said you tested smart devices. So like a padlock, and then USB encrypted pen drives, which I thought was really interesting. Were there any differences in terms of whether one of these platforms was working, was different in how it worked, versus others? Or what were some of the bigger takeaways from the various platforms that you guys were looking at.

CW: So that was actually some of the more interesting parts of the research, right? When you look at it, really the choice, like I mentioned earlier, the choice that these vendors had to make was between security and ease of use. And the way that boils down in a fingerprint world is detail and accuracy. Now imagine you’re a large vendor, and maybe you make a device that somebody carries around with them everyday like a phone, and they’re using it all the time. You know, they go to the gym, lift weights, authenticate on their phone, right? They come in from an office. All day typing at a keyboard, they authenticate to their phone, they go dig a ditch all day long and really rub off a lot of the skin on their hands, and then they want to authenticate to their phone. So what the vendors had to choose from when they were designing these systems was really how picky do they want to be? How many different types of matches do they need to authenticate. And earlier you mentioned a vendor that basically had a very low bar, and you pushed on a plastic phone and it authenticated. And so that is definitely one into the extreme. And I think through our testing, we can safely say Microsoft is on the other end of that extreme. We were not able to fool Microsoft’s technology. It was one of the most secure ones out there, and one of the most picky ones out there. And so I think those are good two ends of the stick.

Now, I think it’s important that everyone realize that fingerprint based authentication, I think we’ve basically proven is not secure. Now, while we were not able to defeat the technology, Microsoft used that does not mean that it’s going to be foolproof for the future. I think as 3D printing technology advances, this is going to continue to get easier and easier. Now, I don’t want that to sound like an alarmist statement. I think for the vast majority of users, this is still a very viable security solution. A great way to think about this is an alarm system on your house. If you have an alarm system on your house, do you really think it’s gonna keep out the world’s best cat burglar? Absolutely not. And that’s why when we talked about threat models earlier, I’m glad that people are thinking about it, because that is incredibly advantageous in this case. What is your threat model? Who is going to get into your phone? Is it going to be your kid? Is it going to be someone if you drop it on the street? Or is it going to be a well funded adversary with hundreds of hours to set up and apply a system to break into your phone? I think for the vast majority of us, that latter case is not a realistic concern.

LO: I also was wondering what would you say are kind of the best mitigations for these manufacturers, in terms of trying to prevent these types of attacks on fingerprint scanners. I mean, obviously, you know, I’m sure that we don’t have like, full insight into what specifically they’re doing. But when you look at the iPhone or the iPad or or Samsung S10 or Huawei or some of the other ones that you guys were testing, is there anything that you could talk a little bit more to in terms of kind of mitigations?

CW: Well, I think one of the best ways to deal with it is to try and figure out user success rate. You know, I’m sure most vendors these days have some sort of diagnostic and metrics built into the devices to track for debugging purposes. And I think biometric authentication attempts and failures is a valid thing to track. And as a vendor, you could use that to help tune your algorithms to figure out, Oh, should we increase the, you know, resolution or the accuracy? Or, you know, or is it in a good place? Right, maybe it’s only working 80% of the time. So we definitely don’t want to make it a little bit more strict, maybe we’re fine. You know, the good news here – And even if you’re going to be the target of, you know, a well funded, adversary or a national security organization – is that the workaround is already built into every single device, right? You know, you just go into your settings menu and you go ahead and set up a password. And if you really want to go the extra mile, go ahead and set up two factor authentication. I believe most vendors support that now, I know definitely when I set up my iPhone and turn it on, I had to go to a different device and get the code and click Yep, that’s me, and then go back to the device I was setting it up on and enter that information. So the workaround is there, right? Biometrics are not an Achille’s heel. Biometrics are something that makes it very, very easy to use. You don’t have to remember a password. You don’t have to enter a password, it makes it very fast and easy. You don’t have to carry anything around with you. And so I think for most users, it’s still perfectly fine. I think our research actually proves that. This is not something that right now today is something you need to worry about the neighbor’s kid doing it they get a hold of your phone. This is like a home security system, right? It’s good enough, it’s gonna keep most people out. Right? If you’re securing trade secrets with it, if you’re securing secrets that you know, a nation state may be after, perhaps you should not be using biometrics, you should be using a complex password with a multi factor authentication system. But you know what, that’s the same advice I would give them before we started this research, right?

LO: Yeah, exactly. It’s like, that’s kind of the typical using several security methods type of recommendation that is probably best for most practices.

CW: Yeah. And I think this proves that. And so that’s one of the things that I liked most about this research is we basically proved that it is not easy for the standard home user to bypass fingerprint based authentication. You know, it’s possible with a large investment of money and a large investment of time, and a lot of trial and error, but it’s not something you’re just going to be able to do in 20 minutes.

LO: Definitely. Well, I also wanted to ask before we wrap up, do you see this changing in the future? Whether it’s because of 3D printing technology growing more prevalent, or because of other reasons? Do you think that there’s going to be any sort of trend of these types of threat models growing more sophisticated? Or is that still to be seen at this point?

CW: I think we will see evolutions in 3D printing technology, especially for home users. We’re going to see new methodologies and new types of machines, which could make this system even weaker. We could see new threats to it and things along those lines. But I still think, very much like home security, right? I mean, if you look at the locks on your house, are they unpickable? Absolutely not, most locks securing homes could be picked inside of five minutes if not bumped open. That said, we still use locks, right? They still provide that minimum bar of security. And I think we all need to be cognizant that that’s what biometric authentication is really providing. It’s a minimum level of security, that if you’re not in a high risk threat model, is fine. It’s just, be aware that there are weaknesses and be aware of what those weaknesses are, and the complexity involved in attacking them. And that’s really why we did this research.

LO: Great. Yeah, definitely. Well, Craig, thank you so much for coming on today to talk a little bit about your research and really biometric security in general. I thought you had some really great points.

CW: No worries. And thanks so much for the invite Lindsey.

LO: Once again, this is Lindsey O’Donnell Welch with Threatpost, joined by Craig Williams with Cisco Talos. Catch us next week on the Threatpost podcast.