How to beat a fingerprint scanner
3-D printed hands expose security vulnerability
Some of the fingerprint scanners that protect cellphones, banks and even border crossings can be tricked by new technology that prints wearable hands with detailed fingerprints.
Researchers wanted to test the quality of fingerprint readers and needed a way to standardize their evaluation. So they created a 3D-printed hand with fingerprints that they could slip on like a glove. But the team quickly realized that their pioneering technology could go awry if it got into the wrong hands.
“As a byproduct of this research, we realized a fake 3-D hand, essentially a spoof with someone’s fingerprints, could potentially allow a crook to steal the person’s identity to break into a vault, contaminate a crime scene or enter the country illegally,” Michigan State engineer Anil Jain, lead author of a report about the printing method, said in a press release.
2-D hand replicas have been used to test fingerprint scanners, but the 3-D version is more accurate. It’s made of a polymer that has similar strength and elasticity to skin, so the material and 3-D design more closely mirror the behavior of real skin. Using the same model repeatedly also allows researchers to precisely compare the metrics of each scanner and determine which is best, Jain said. Eventually, calibration could be carried out by robots with 3-D printed hands, testing machines faster and with standardized pressure each time.
3-D hands don’t pose too grave a security risk yet because they’re difficult to create. The research team went through an obstacle course of challenges during the study, which was funded by the National Institute of Standards and Technology.
They had to determine which material ideally mimicked skin and had the perfect thickness (too thin and it would crack, too thick and it didn’t fit). They had to find a tool to clean the printer’s debris from the fingerprint’s ridges and how to support the printing of a hollow, delicate object. In the end, they printed the base and each finger separately before attaching them. The process was also expensive — the high-resolution printer that the team used cost $250,000.
Another hurdle for crooks is that in some scanning situations, like border crossings, a 3D- printed glove wouldn’t escape the notice of security personnel. However, for situations without a human guard, like when unlocking an iPhone, the security threat is much more realistic.
Jain hopes to highlight the security loophole to manufacturers of scanners, so they can upgrade their technology. Designers and manufacturers could explore the optical characteristics of skin compared to 3D-printed materials to create a safety mechanism. Or they could develop a way for machines to compare the color of skin to polymers, which have limited colors, Jain said.
The relationship between scientists and hackers is like a cat and mouse, Jain said by phone, with each racing to outsmart the other. For now, though, the scientists seem to be on top.
“The novelty of the approach and the novelty of the solution are most important to us,” Jain said. “And this research is a lot of fun.”