11

With such a big deal being made about the iPhone 5S's fingerprint reader (and formerly the Thinkpads' fingerprint readers) I really wonder how secure it is to use fingerprints in lieu of passwords.

If you can dust and photograph a roommate's or coworker's fingerprint off a coffee cup or desk surface or keyboard and then apply that to the surface of a 3D finger shape, assuming it is from the correct finger, it should be easy to use a 3D printer create a fake finger with a good print on it to use in unlocking an iPhone, a Thinkpad, or even getting into a gym (my local gym has a fingerprint scanner).

AviD
  • 72,138
  • 22
  • 136
  • 218
Flan
  • 121
  • 4
  • 1
    Didn't Mythbusters successfully test a Gummi Bear hack awhile ago? Perhaps fingerprint reader tech has evolved past that by now, though. – Iszi Sep 11 '13 at 03:55
  • 1
    [Turns out](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid) that iPhone 5S uses **little or none** of the anti-spoofing techniques it should. Not surprising on a compact consumer device; but it makes you wonder about Apple's motives in selling the gimped feature in the first place. – LateralFractal Sep 23 '13 at 00:14
  • 2
    @LateralFractal they get to pack a few more buzzwords into their marketing material. – Sammitch Sep 24 '13 at 23:08

3 Answers3

9

Vendors of fingerprint scanners usually prefer security-through-obscurity, so open specifications of the hardware module ("TouchID" in this case) are unlikely available. Apple's firmware secrecy doesn't help.

But we can speculate on common features of (good) fingerprint scanners:

  • Capacitive touch where a human finger's natural electric conductivity is measured.
  • Infrared heat as a human finger is both warm blooded and will dissipate heat in a fairly predictable pattern upon a colder surface.
  • A pressure gradient on initial touch as human finger-pads are soft and compressive rather than hard and unyielding
  • Spectrophotometry (a form of remote sensing) as a human finger will have different spectral properties from latex, foam or PVC. This can include both the visible colour of a finger (as recorded for that human owner) and other electromagnetic waves within the sensor's bandwidth
  • Heartbeat sensing to detect a live finger

No current generation of 3D printers could handle this.

A future organic printer could grow and customise a human finger on the back of suitable warm-blooded synthetic organism (or perhaps just a mouse). But by the time this technology was mature, spot-contact DNA sensors will probably be mainstream. Eventually the three common factors of authentication (knowledge, possession and physical being) will start to merge together; at least logistically.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
LateralFractal
  • 5,143
  • 18
  • 41
  • 2
    While there is no 3D printer that can do this, it is well within reason that an attacker can build a fake finger that will match these requirements and can have a fake fingerprint applied. – Rory Alsop Sep 11 '13 at 12:09
  • Fingerprint scanners that check all 5 anti-spoof measures are probably uncommon and very expensive; but I'd love to know of any fake finger fabrication that could spoof all 5. From what I recall of spectrophotometry - that would be hardest to spoof if the sensor included infra-red, millimetre waves, or x-ray backscatter. – LateralFractal Sep 11 '13 at 13:03
  • Generally, the top ones have capacitive, infrared and heartbeat - but all of the above are used. Don't think I have seen all 5 in a single device either. – Rory Alsop Sep 11 '13 at 14:28
  • Are you aware of any attempt to machine new ridges on a real, live finger using a CNC mill? The precision required seems well within their capabilities and little depth is required, meaning it should not really hurt that much. – Bruno Rohée Sep 12 '13 at 15:00
9

The iPhone 5S scanner was successfully fooled with a low-tech approach that has been known for a decade. The CCC published a plastic film with the finger print of the German Minister of the Interior a couple of years ago. It was taken from a glass of beer.

The thin plastic film is put on a real finger, so that body temperature and a heartbeat is detected. Breathing on the film supplies it with a tiny bit of moisture.

The recent successful attack on the iPhone 5S, however, uses a scan of the iPhone's own touch-screen as source for the fingerprint. This scan is then printed out and enhanced using wood-glue before the film is created.

Heise published an article and video of the successful attack on the iPhone 5S. (Watching the video gives a general impression, even if you don't understand the German language).

LateralFractal
  • 5,143
  • 18
  • 41
Hendrik Brummermann
  • 27,118
  • 6
  • 79
  • 121
  • From the parameters of the attack, if I had to guess, I'd say the iPhone 5S fingerprint scanner uses these anti-spoof features: Capacitive touch (moisture); heartbeat sensor; and (fairly inadequate) temperature gradient detection. As for iPhones being [oleophobic](http://en.wikipedia.org/wiki/Lipophobicity) and thus unable to lift fingerprints from the phone itself - any attacker willing to create a plastic fingerprint could also spray your phone with a compound that temporarily or permanently overrides the oleophobic property; presumably if the phone is unattended for 5 seconds. – LateralFractal Sep 25 '13 at 22:48
  • → Hendrik: this technic has been known since much more than a decade ago. The film "Gattaca" from Andrew Niccol, 1997, is pretty well documented on this particular technic: making a thin plastic film of stolen finger prints to fool image, capacity and temperature sensors. When I saw this film, I had already seen this technic realised many years before and I told myself that this guy was doing here an outstandingly well documented science fiction movie. – dan Sep 27 '13 at 12:10
  • @danielAzuelos: James Bond used a similar technique in "Diamonds Are Forever" (1971). – MrWhite Jan 03 '14 at 13:32
2

If you can do this, you can also setup a camera and record them typing their password. Ideally the fingerprint should be used in addition to a password, not in replacement for it. Ultimately convenience generally wins out though. A fingerprint swipe is still more secure that simply having it set to "swipe to unlock".

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110