High Speed Fingerprint Cloning: Myth or Reality?

and next talk will be performed by an experienced duo it's victor ventura and paul ruskaners that will hold you by the tip of your fingers victor works today as cisco talos security researcher and threat center in the past he was a regional manager at ibm x-force iris europe and helped several companies dealing with infections not like foreign but like when i cry and not petya on the other finger we have paul who also works at talos the cisco threat intelligence and research organization paul is also focused on investigating and identifying new threats mainly on malware and advantage persistent threat campaigns today they are going to talk about fingerprint scanners and related issues with you viter and paul

hello good afternoon everyone can you hear me yes okay let me share my screen

so yeah it works you can listen to me yeah yeah perfect so hi everyone uh we are here to speak about fingerprint cloning myth or reality so as i was already introduced my name is paula scania and i'm security researcher for cisco telos i'm located in france and historically i'm mainly interested in apt and such as i work on wannacry not picture olympic destroyer this kind of topic and uh besides that i'm really really into 3d printing and we will see it's uh it's relevant for this specific uh presentation where we will use a 3d printer on a really uncommon way hi i'm vitor i was already introduced also so i'll just i'm located in lisbon and

yeah i've been with dallas doing research for a while now so uh moving on to our agenda and we'll start by talking a little bit about the background about the the evolution of the several kinds of sensors and what kind of sensors do we have for the fingerprint and then we will go into our research so we'll start by explaining the threat model and then we'll share our process which is uh divided in three main categories collection optimization and creation and then we'll explain our results and finally we'll do the the wrap up so about the state of the art so uh fingerprint authentication it has been around for a long time but it really began to be

more widely used when apple introduced it with touch id back in 2013 and and it was also that same year that it was defeated at the ccc conference so all through the years it has already been adopted by several companies on several different devices another good example was in the samsung s10 had their fingerprint authentication defeated by a simple silicon cover and more recently there was another presentation at a conference where they actually tried to they the researchers broke it online during the presentation tone two different three different phones however they did not show their process and we were already doing this our research when we just when we saw this and we thought okay

maybe our presentation is pretty much done we don't need to do this anymore but then again we thought well maybe we should do it and show how it's done because that is something that was not explained and that's why we we keep on going with it there's another another big aspect is that we didn't want just to focus on the technical side we wanted to show what are the threat models behind it and does it make sense for us to be worried about it or not so now about the kinds of sensors the there are three major kinds of sensors the capacitive ones where your fingerprint is basically red because the capacitor is created between

the the reader and your finger so the ridges on your finger will be the lines on the fingerprint and the valleys will be the the white parts and this pretty much reads the the the electrical capacities capacitance in your body then we have the active capacitive sensor which is the same principle but instead of using the natural electricity in our bodies the sensor will have a ring around around it that will emit the signal that will go through the finger into the the sensor reader so it's the same kind of technology but there's an emission by the sensor itself the optical one is actually one of the oldest ones where as you can imagine there's a light

source that will reflect on on our finger and then it will the image will be read by the sensor these ones were pretty much abandoned for a while but now because there is some the need for frameless mobile phones they're back because then these kind of sensors can be put behind the display unlike the capacitive ones where you need to have a dedicated space on the phone in order to put the reader the same thing for the ultrasonic ultrasonic there's ultrasonic pulse that is emitted it will echo on your on our fingers and it will be read uh by the the receiver again this also can be put behind the display not like the capacitive ones so

these are the three main sensor types that there are around here so now about our process when we started the process we wanted to make this as real-life approachable as possible and for that we decided to define three different kind of scenario kind of scenarios for the for the process but not only the different scenarios each scenario would have to be tied to a collection method so first is the direct collection method someone just reads takes the fingerprint directly from our finger it's it's something that can happen of course then you have the sensor one in this one you can imagine when you go through an airport and you give your fingerprints just to be registered

in this case your fingerprints are being read by the sensor and this may be an acquisition uh form and finally by a third party collection so you you are drinking something you leave your glass behind and someone will pick that up and collect the fingerprints from this this this object so these are the three different collection methods that we tied to different threat scenarios so after the collection there's an optimization stage so if each different kind of collection has its strengths and its vulnerabilities and for that we actually need to have an optimization uh component where we enhance or optimize the data that was collected and finally there's the creation so we collect the the fingerprint we

need to optimize it depending on how it was collected and finally it needs to be then it will be the fingerprint will be created so and now i'll pass you to paul to explain to you the the collection methods yeah so let's speak about the collection the first one is uh direct collection for for this case study i decided to use plastiline which is a fake clay if you wish it react to warm so you have a heat pistol on the right and when the plastinine is hot it becomes soft and you can take make a mold of of the model you wish in my case it's my my finger and that's how i create a mod

for direct collection the next one yeah it's optical sensor collection so for for this collection i decided to use the cheapest sensor iphone on on the internet so this uh optical sensor cost less than 20 euros the quality is pretty bad if you look at the picture on the right but i was surprised but it was good enough for for our test and i was able to use this kind of really small picture by doing some optimization we will see later and the next collection is third-party collection in this case i decided to take a picture of a fingerprint on the glass in this case it's it's not my finger because i don't want to lick my finger

when you will see this kind of picture it's uh the palm of my hand and not my finger so but the the process is exactly the same and it's simply for illustration so let's speak about optimization because once i have the data i need to make a few work to have something exploitable if i work on pictures typically if i take the cheap fingerprint sensor i used [Music] the resolution of the square when you put where you put the finger is very low and i on my finger are big i don't know but i cannot have my finger in a unique photo i need to take a couple of image and merge the image together as

you can see in this picture in this example for example it's al capone fingerprint so the document is directly on the fbi website and i use it as an example to something for avoiding leaking my own fingerprint but it works exactly the same way with my finger another photo optimization if i take the third party collection i need to increase the contrast so first step i use black powder it's a graphite in my case to have this thin black line and i take a picture increase the contrast and switch in black and white to have this kind of black and white high contrast image on the bottom right and once i have this image i need to use

this image to create a mod so we don't directly create the fingerprint uh we create a mod with 3d printer and we use this mod to generate to to create the fake fingerprint in this screenshot you can see the picture and the 3d model of the fingerprint so i create a negative of the fingerprint directly in 3d next so the creation itself i'm sure you are not really familiar with 3d printer and especially resin 3d printer so in in my case i didn't use a filament 3d printer the most common free printer you can you can see because the resolution is not good enough you cannot print something smaller than zero 0.1 millimeters it's not possible

it's not supported so i had to deal with a resin 3d printer first so i create a mold here you can see an example of mold with the fingerprint negative on it yeah here is the creation on 3d software so you have a empty mold in the middle of the screenshot and on the left you can see the alcapon uh alpha black and white image and i apply the black and white black and white image on the mould and it creates the fingerprint based on the level of gray and level of white of the initial picture so that's how i create the fake the mold for the fake fingerprint so when you see the video it's very

straightforward and it's really easy but one of the biggest problem was the size to have exactly the good size but just to give you an idea we will speak about the issue after

yeah so i use a domestic uv lid printer the resolution of my printer is 25 micron and in fact it's good enough for fingerprint readers if you take fingerprint readers it's 500 microns wide and 20 50 microns deep so the resolution of a domestic 3d printer is okay we have a limited budget so it's not a crazy expensive printer our global budget was lower than 2000 euros so it's something okayish in term of par or off price the next step once you have the mold is to cast material inside of the mold to create the fingerprint so my first idea was to use silicone because it's very very standard stuff you use silicone for in my mind at least it was the

perfect stuff we will see we had a lot of issues with uh with material and particularly due to some sensor another big issue we have is the size we need to have the exact size if the mold is i don't know five microns too big it failed the fingerprint is not the same and the phone would say it's not a good fingerprint so it cost me a lot of time months of work to have the perfect size and to make stuff more complicated resin objects once you print it are toxic you cannot use a resin printed object immediately after printing you need to cure it in a uv chamber the problem is uv generate retraction on object so if you

work on a figurine or stuff like that you don't care because the retraction is relatively small it's like half millimeters but if you play with a fingerprint mold half millimeter is too much you complete you have the wrong size and it doesn't work so i had to spend a lot of time on uh the curing process to have exactly the same time each time and then i i have to be careful be very careful to do the stuff exactly the same each time not five seconds more not five seconds less because it changed all my value so that's my printer on the left you can see just from just after printing i've got seven mods

and on the right you can see i remove the mod from from the bed basically and yeah i said to you i had to make a lot of attempts you can see a couple of attempts so it's a mold that fades and [Music] feed material like you can see silicone and stuff like that all this stuff have failed so it's more than 50 bad mods in in the box on the right you can see the uv charmer i mentioned to the chamber when i have to cure my object to be safe so the filling material once i have the mold i need to fill material and wait and have the fingerprint as i said my first idea was silicone

because it's natural in my mind at least but the problem is a capacitive sensor work on conductivity and silicone is uh insolent you cannot put electricity through silicon it doesn't work and the point is even if the fingerprint is good the sensor will never switch on and the authentication don't even start so we have to think a little bit differently and my first idea was okay i got graphic powder i got aluminium powder maybe i can mix this powder with a silicone and make some weird stuff like that i try it was a mess and it doesn't work it's not conductive enough so finally the winner is this thing so texted glue fabric glue and in fact i found it on the room of my

children and i tried it because i was hopeless and the point is if you make a really thin layer of fabric glue like super thin it's good enough to create fake fingerprint but you can put behind the fake fingerprint a real finger with a good conductivity and with this trick you have a fake fingerprint and it reacts as a real finger so it's a win so yeah now i speak a lot about how i did my work and let's see the results and and a few images of unlocked devices the most funnier part okay so when we started to do the test we wanted to do as many as possible on different on the variety of devices not only on

the variety of devices but also on the operating systems so we used embedded systems should we used phones we used a padlock we used a laptop because we wanted to know how would this how would be different if you use a sensor because the whole stack goes from the sensor until the operating system so there's a lot of components there that can change so we wanted to test as many as possible on different kinds of sensors different kinds of devices different kinds of operating systems so we started to by testing a samsung in this case you might notice that paul is using a glove and it still worked why because this is a samsung s10 and

they use a ultrasonic sensor and for the ultrasonic sensors you don't actually need conductivities the rest of the devices as you've been seeing they are all using active uh capacitive devices so you need to put a finger behind the face operating the fake fingerprint and in order for it to activate and you might notice on this one uh a ring around it let me just yeah there's a ring around the reader and this is where the signal is sent into your into our finger back into the the reader the same happens with the previous device if you notice it here there's also a ring around it so we tested all of these devices and pretty much

all of them were we were able to open with a few exceptions that we will talk further on on our on our talk so this is a simple ch table or of our results so obviously the direct collection method it's pretty much almost always this the better one and this is because this is the where we get the fingerprint with the best quality so it would be just normal that we have the best results with it there are a couple of outliers here so for the samsung a70 we were never able to defeat it but in reality even with the real finger most of the times doesn't work so yeah it's not we cannot take it into

account and for the windows based ones we were also unable to to defeat them the same happened with the with the thumb drives which also have a very specific grade of of authentication for the rest we pretty much were able to were able to defeat them uh the the touch id pretty much uses the same kind of stack operating system sensor and and database so it's it's the results were more or less always the same uh the same thing in the samsung it's different because they use the the samsung s10 and the samsung note 9 they use different kinds of sensors so again here there is some difference in in the stack even though the operating system is the same

so for the wrap-up yep so we as i said just before we have a low budget so less than 2000 us dollars so we were not able to buy like a 10 000 medical printer and stuff like that so it was really used by limited by budget uh of course for the direct collection there is no limitation because you have the figure of the people you take a copy you have the perfect size and and and yeah it it works uh which is not the case for for the other uh approach yeah next yeah so we there is a couple of stuff that could solve our issue and the first thing is to have a in my case i was not able to

to have in fact if you think about 3d size does not exist uh if you create a 3d characters it doesn't really have a physical size you only have a digital size if you wish and it's if you take uh industrial 3d software normally they speak about millimeters and not really go in microns because we don't really create micron size product that at least not the software i have access so something that could help is to have a software that is able to speak in microns and not only in millimeters and another thing is maybe to be able to measure microns because in my case uh with my eyes i'm not able i cannot see if it's one microns too big or too

large or it's not possible so maybe with something that is able to to measure in microns i will win a lot of time and and be more efficient another thing is the resin we use need to be cured in a uv chamber maybe there is a alternative material that doesn't need to be cured and we don't have this retraction so maybe there is a better material i simply don't have access and it's not compatible with my printer yeah another thing is a windows operating system we were not able to unlock windows laptop for example so why why we cannot unlock this kind of devices so we don't have the absolute answer because we don't work for microsoft

but we have a couple of ideas about that the first one is when you think about fingerprint authentication it's simply a question of threshold you put your finger on the on the sensor and it take a couple of points and decide if it's your finger or not and it's the developers need to take a decision on point if you put if you check too much point on your finger the problem is if your hand are done if your finger are dirty or wet or whatever it won't detect your finger because it will say oh it's too different it's not what i think but in the opposite if it's if you don't check enough point a finger that looks like a

little bit your finger can unlock your device so you need to think you need to decide how many point i want to [Music] decide it's the same finger and maybe microsoft puts the threshold higher than phone like android or apple or whatever and the point is when you use mobile you unlock your phone i don't know 20 or 50 times per day so you put your finger you unlock it check and message and that's all and having too much false positive it's maybe frustrating for user if you have to switch back to pin every 10 minutes maybe you will be really pissed and maybe for laptop it's not so uh annoying maybe you we are most used to enter password

on your laptop so if it doesn't work and switch back to to the password you don't really care because it's normal life and you don't unlock your computer each 10 minutes i think at least i don't do that next so yeah that's that's maybe uh the reason why it it it's so hard on windows the number of points mandatory to unlock and the fact that it's less important if you have to hold back to passwords than on mobile so mitigation there is a couple of things you can editor can improve for example on apple devices we are limited to five attempts if we fail five times we have to enter a pin the pin which is a good

approach in my opinion if you take samsung devices you have 50 attempts so that's 10 times more so i can try 50 fake fingerprint and if one works it's good enough if you take honor device it's probably unlimited i tried 70 times and i gave up because it's freaking long the only limitation on android devices is after each five attempts you need to wait 30 seconds so it's five attempts you wait 37 5 attempts 30 seconds etc but you can do 50 attempts finally on samsung devices and probably unlimited attempts on your device

so having uh some conclusions now so the reason why we wanted to we we had a limited budget was that we wanted to make this we wanted to know if this could be done by the average person at home and that's why we we we impose ourselves this kind of of budget of such a low budget and and the point was if that together with the threat scenarios our goal was is are our fingerprint authentication methods good enough for the general public and because if if one needs to defend against uh state state-sponsored agencies or or state-sponsored threat act threat actors then it's a completely different um scenario that we need to deal with so

what we need to think is for the average person with a low budget is this is this possible well in our view fingerprint authentication is good enough for the majority of the people if you lose if you are worried about losing your phone and someone will be able to unlock it well that's not something that you need to worry about having a fingerprint authentication there because you need to think that whoever finds it need to get your fingerprint needs to be able to do all those attempts you need to have a printer needs to to do with all the the problems that we had and that took months and several uh samples uh several molds done so it's not something that

you can do just overnight to unlock the phone however if you are worried about some agency if you're worried about coverage pioneers if you're worried if your threat model is a lot more complex than this one then of course fingerprint authentication is not the way to go you need you should use a strong password a strong pin with two-factor authentication not sms based all that kind of stuff so you really need to think about what's your what's your threat model as we said and the reason behind that is that it's it's complex it's a time-consuming process it's not something that you can just do overnight and that's uh that's that's why you you need to you

need to distinguish both both scenarios of course there are a lot of news about um fingerprint databases being lost being hacked being leaked that may increase your your exposure but still you need to think who what is your threat scenario and who might want your information so yeah again it should be considered safe however there's a big constraint here this was first introduced in 2013. over seven years the usage has been massified however the security of the fingerprint technology itself it has not improved even with the new kinds of sensors it has not improved and it was broken in 2013 and the new sensors have been broken now and have been broken pretty much all of them have been broken before so

it's the the point here is that it the exposure to the fingerprint authentication is is increased but it's security it's not has not increased as the adoption and if if if something happened it was actually the opposite because the thing the the 3d printing technology has evolved a lot since then and it's widely available so it's there's no there's no evolution in terms of security for the fingerprint technology but still you need to think that this needs to put into your your your threat model always um one thing that we i we didn't mention paul mentioned that we used molds why didn't we use direct printing so there's there are a couple of of points to that first

direct printing it's so the resin when you print it directly you can actually print the with the definition enough for to create a fingerprint but it it's it's breakable so once you put it on top on top of your phone and you want to press it it will break so again that's a problem the other problem with resin is that the conduct the the conductiveness that you need for the active capacitive sensors of course there might be other resins that are a little more flexible or that are a little more conductible but again we had these limitations and we couldn't just start and go and buy all kinds of resins so there was this this purpose of being

limited and so the there is no ultimate approach there are ways that that can be improved there are some methods that can uh help to improve the process i'm sure that a lot of people will pick this presentation this presentation and just try to improve some some some stuff and but still in this case what we wanted to show is that we wanted to show the process we wanted to show how we did it and we wanted to put it in a real life context that was really important to us it's not just say it's possible and that we can do it it's say how how is it possible and how did we do it and what's at stake

here in terms of of improvements of course as paul mentioned if we had some kind of microscope that would allow us to compare visually the the the the the fake fingerprint and the real picture that would help uh another way that eventually may have may may be possible is the usage of instead of using a mold and a casting material using engraving techniques so just engrave uh the fingerprint into some kind of material still we don't know if it's if if it's possible what would be the results or even if there is some kind of high precision laser engraving machine within this kind of budget because if we expand the budget then everything is possible it's just a

question of money and for instance buying a medical thing a medical 3d printer the third improvement is the scripting language so paul mentioned that there were problems with size so if we had if we did this the translation from the image into the mold through a scripting language that is attached to the software that allows us to do this without having problems with with the size that would help actually i know that that paul is working on that right now maybe we'll have some news in the in the future we don't know but there is there are some some of these tools that actually allow the use of scripting language um to work the 3d modelings and mappings

and that's it for our presentation now we are open to questions so thank you thank you victor and paul for your talk always good to see our risky some behaviors and some actions that we take as normal and secure it can be we have at least one question which biometric solution if any will be a better alternative your opinion sure well they all have uh good and positive sides and they all have negative sides i would say that it really depends again it goes against your threat model and what what you are worried about of course face id have been more or less defeated iris iris recognition has been defeated so it really goes against your threat

modeling and and watch you what you what you are worried about at the end of the day if you are worried about any of those if you are worried enough to actually need to use the most secure one then go with the strong pin and the two-factor authentication which is not sms based yes somehow i agree even but seeing the the the last attacks that uh appeared this week and last week like google with second factor authentication not be needed to to disable second factor authentication so sometimes even second factor authentication or even the other attack on on on twitter perhaps even not only the the factor authentication or at least like we know them today probably mixing

multiple factor authentications and multi biometric authentications could be could be the solution by now and let me see i think no more questions i think everyone run away to disable their fingerprint options on them just for information i use fingerprint authentication okay so me too i was i was also asking that to you later so glad to to see your answers with you yeah it's it's a question of threat models and and it depends where you live if maybe in some country it's more tricky than some other countries and it depends of a lot of factors but for me in my case i use fingerprints for my phone okay i can say that that here in

portugal as the security hence your country you can you can use fingerprints normally okay thank you for your presentation

you