Biometric authentication techniques have gained momentum over the past few years due to the inherent vulnerability of PINs, passwords, and other similar verification methods. With that said, researchers have shared how a simple fingerprint hacking technique can render biometric authentication useless as a verification method.
Hacking Fingerprint To Trick Biometric Authentication
Security researchers from Kraken Security Labs Team have shared a fingerprint hacking trick that threatens biometric authentication methods.
As elaborated in their blog post, the attack involves using using easily obtainable equipment that can be picked up for around $5.
Specifically, all it takes for an attacker is to grab a photograph of someone’s fingerprint to reproduce digitally. Given how people can leave fingerprints on different surfaces, such as furniture, device surfaces, and much more, anyone can copy the target individual’s fingerprint from any surface.
After taking a photograph, the adversary can digitally recreate the fingerprint via any software, such as Adobe Photoshop.
Once done, the attacker then needs to print out the digital fingerprint on an acetate sheet. A simple laser printer can serve that purpose. This will yield a 3D model of the target fingerprint.
Then, spreading wood glue on the print and letting it dry will result in the ready-to-scan duplicate fingerprint.
Now, the attacker can use this hardened glue structure to bluff devices with the fake fingerprint of the target individual. Simply placing the glue piece with the printed side facing the fingerprint scanner will do the trick.
This video demonstrates the attack in action.
Commenting about the success of this strategy, researchers said:
We were able to perform this well-known attack on the majority of devices our team had available for testing. Had this been a real attack, we would have had access to a vast range of sensitive information.
Given this severe vulnerability of fingerprints, the researchers advise using fingerprints for 2FA purposes only. Users should avoid setting up fingerprint scans as password alternatives for any device.
Alternatively, users may also wish to adopt passwordless authentication methods as primary logins to avoid using passwords.