1

Assume that:

  • I have submitted my fingerprints to a scanner at an office building for "security clearance" at the gate.

  • The scanner was feeding the fingerprint data to a malicious third party that installed / modified said scanner/attached computer with the purpose of acquiring fingerprint data.

  • This third party attempts to reproduce the fingerprint (using a 3-d printer, rubber/silicon molding, etc.

  • This mold is then used to fake my fingerprints / fool other security devices elsewhere.

Assume the scanner and/or the computer running the scan are compromised.

Is the scenario above feasible, or is it just tinfoil?

Mindwin
  • 1,118
  • 1
  • 8
  • 15
  • If the fingerprint sensor sent the data in the clear it would be way easier, but that would be stupid. If it used TLS 1.2 and other encryption techniques all they would see is random data. – cybernard Oct 04 '16 at 02:58
  • @cybernard assume the scanner/computer running the scan is compromised. – Mindwin Oct 04 '16 at 12:30
  • Unless the system asks you to scan all your fingers, you can probably argue the print of a single finger whose image is stored in other systems is just circumstantial. – billc.cn Oct 04 '16 at 13:52
  • the reader i bought in 2001 scanned IR as well as visible, so rubber fingers wouldn't work... – dandavis Oct 04 '16 at 17:47
  • @dandavis keep the rubber finger heated to 38C in a container until you use it. Or use a thin film over a real finger. – Mindwin Oct 04 '16 at 17:59
  • @Mindwin: the scanner actually picked up on sub-dermal veins and other 2D thermal features; even cutting off the real finger and re-heating would not work. – dandavis Oct 04 '16 at 18:06
  • @dandavis: Whatever happened to that system, it didn't really seem to take off and now seems to have disappeared. – Julian Knight Oct 04 '16 at 21:46
  • @JulianKnight: i don't know. i can't even remember what it was called. it was consumer-faced retail for about $75 in 2001. i stopped using it because i couldn't get it to work on anything but win2000's login.... – dandavis Oct 04 '16 at 21:49

1 Answers1

1

It depends on the type of data the sensor returns.

Some sensors parse the image on the device itself and only output interesting points that are actually used by the system to identify you. In that case there is not enough information to recreate a full fingerprint. You may be able to fool the same kind of system with that partial info (assuming the reader you're trying to go through will identify the user based on the same points), but a different system that uses other parts of the fingerprint will fail as you don't have those on your partial fingerprint.

Other sensors output a full bitmap image of the fingerprint, like a picture. In this case yes it can be used to create a fingerprint if the image is intercepted.

But again, why go through all the trouble to compromise a fingerprint sensor if anyone can simply pull your fingerprints from the door handle?

André Borie
  • 12,706
  • 3
  • 39
  • 76