It’s possible to trick a smartphone’s fingerprint scanner with just 15 minutes, a regular inkjet printer, and some special ink.
Researchers from Michigan State University have published a paper on a new technique for breaking into smartphones by tricking their fingerprint scanners with an image printed with conductive ink.
The process makes use of products from AgIC, a company that produces conductive inks and special paper (it’s intended for making DIY circuit boards).
The process is fairly simple.
- First, you need a good photo of the target’s fingerprint. This might be lifted off a glass surface. You scan it into the computer and reverse it (so it looks normal again once printed).
- Next, get any normal inkjet printer, and install some AgIC conductive ink cartridges, as well as special AgIC glossy paper.
- Then print the fingerprint onto the paper the same size it would be if it was a normal fingerprint.
And with that, you’re done! You can use that print to gain access to some smartphones — the researchers (successfully) attempted to break into the Samsung Galaxy S6 and the Huawei Honour 7 for the test.
The researchers close by calling for better checks to be put in place to prevent this kind of spoofing. As increasing numbers of smartphones use fingerprints for ever-more purposes, from unlocking to authorising payments, it puts more users at risk of these kind of attacks. And unlike passcodes, it’s almost impossible to “hide” your fingerprint: You leave it on everything you touch.
They conclude (emphasis ours):
In summary, we have proposed a simple, fast and effective method to generate 2D fingerprint spoofs that can successfully hack built-in fingerprint authentication in mobile phones. Furthermore, hackers can easily generate a large number of spoofs using fingerprint reconstruction or synthesis techniques which is easier than 2.5D fingerprint spoofs. This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems, especially for mobile devices which are being increasingly used for unlocking the phone and for payment. It should be noted that not all the mobile phones can be hacked using proposed method. As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice).