Fingerprint authentication is not completely secure.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:25] Thanks for listening to the CyberWire's Research Saturday podcast. Today, I wanted to reach out to those members of our audience who are students or serve in the military. Did you know that the CyberWire has special CyberWire Pro subscription offers just for you? Well, you do now. Because of your student or military status (that's active or reserve military status), you are able to subscribe to CyberWire Pro or CyberWire Pro+ at a significant discount. That means you can unlock access to our focus briefings, exclusive podcasts, quarterly analyst calls, premium articles and much more. To learn more, visit thecyberwire dot com slash pro and click on the Contact Us button in the Academic or Government & Military box. That’s thecyberwire dot com slash pro and then click Contact Us in the box that applies to you, and we will hook you up. Thanks again for listening to Research Saturday!
Craig Williams: [00:01:57] Since the fingerprint space became something that the everyday home user was involved in, there's been a lot of fear, uncertainty, and doubt around it.
Dave Bittner: [00:02:06] That's Craig Williams. He's head of Talos Outreach at Cisco. The research we're discussing today is titled, "Fingerprint cloning: Myth or reality?"
Craig Williams: [00:02:17] You know, we've seen lots of reports around people being able to defeat Touch ID, but we haven't really seen any that really laid down all the methodologies and the way that the samples were collected and how long it took and how effective they were across multiple vendors. And so, when we approached this project, the thing that we were wondering is, let's assume a worst case scenario. You know, my team travels all the time going around the world, giving lectures at security conferences. And so we thought, well, what happens if you have a mobile device with you that's secured with a fingerprint-based authentication system, and when you're going through customs, passport control or someone would like your phone for a while?
Dave Bittner: [00:02:55] Hmm.
Craig Williams: [00:02:55] You know, like, is it feasible for that security to be defeated, or do you have nothing to worry about? You know, what actually is the threat model that you should be worried about?
Dave Bittner: [00:03:04] Right. Right. So, how did you get started? Where did you begin?
Craig Williams: [00:03:07] Talos has its fingers in everything. We look at hardware from everyone and anything – anything from a mobile device to, you know, large, expensive medical devices, to very specialized ICS equipment. So, it was very much in our arc of interest. And, you know, I think really one of the main things that drew me to this is, it's not often that we get to do security research that benefits the home user. Right? How often do we get to tell your non-technical friends or your parents or whoever, hey, you know what? You don't need to worry about something.
Dave Bittner: [00:03:40] Mm-hmm.
Craig Williams: [00:03:42] So, when those rare opportunities present themselves, we would like to be there, and we would like to be there with evidence and facts.
Dave Bittner: [00:03:49] Yeah, fair enough. Well, let's go through your process here. How did you begin by sort of taking the lay of the land of the different types of fingerprint technologies that are out there?
Craig Williams: [00:04:01] Well, really, the first thing we did was we looked at the problem space, right? So, you know, at a high level, what is a fingerprint? You know, what are the systems available to duplicate it? And then what are the systems available to replicate it? And then what technologies exist to prevent you from doing that? When you look at it, we're actually to a point – from a technological standpoint – where 3D printing is right on the cusp of making fingerprint-based authentication questionable.
Dave Bittner: [00:04:28] Hmm.
Craig Williams: [00:04:30] And what I mean by that specifically is if you look at a fingerprint just at a physical level, you know, most fingerprint ridges are a couple hundred microns across. For the budget for this project, we didn't want it to be something outrageous, right? And we obviously could have funded it heavily and had amazing results, but we said, you know, what is the average, let's call it motivated but perhaps not nation-state actor's budget going to be. And so we thought a few thousand dollars was in the ballpark, and so we looked at spending about two thousand dollars for the entire project. And so when you look at the printers available to the home user in that space that are the highest resolution possible and really produced the results we want, you end up looking at the 3D printers that basically use IR to cure a medium, and you've got to have a wash station for it, and it prints in layers. You know, not incredibly dissimilar from the filament-based ones I'm sure most people are aware of, but really just a twist on the technology over to using light to effectively cure the material.
Dave Bittner: [00:05:33] Hmm. And that's where you get the precision that you need to be able to reproduce something like a fingerprint.
Craig Williams: [00:05:41] The resolution is actually quite a bit higher. Now, I want to be sure that we pair that with the other reality of this, right? For those of you involved in 3D printing, we all know that what we want to print and what comes out is not always what we would have liked to have come out.
Dave Bittner: [00:05:56] (Laughs)
Craig Williams: [00:05:56] And what I mean by that is often you get, like, a little imperfection. And, you know, if I'm building a plastic toy for the children or, you know, a container – doesn't matter so much. If I'm building, you know, piece of PPE for a hospital employee to protect their face, like a face shield – doesn't matter if it has a little bump on the side. But if I'm making a mold for a fingerprint, it matters.
Craig Williams: [00:06:20] And so, this is really where a lot of the effort came in. You know, the cost, from just a cost-of-goods perspective, was low, relatively speaking. But from a time-investment standpoint and from an expertise standpoint, it was very high. It took weeks and multiple, multiple, multiple attempts to get good molds to use for this. I think at one point Paul mentioned dozens of attempts. You'll notice if you look at the blog post on US intelligence dot com, we actually have a picture of the bin of rejects. And it's a reasonable size. (Laughs)
Dave Bittner: [00:06:57] Yeah, yeah, absolutely. Well, let's go through the various types of technology that the device manufacturers are using to enable this functionality. What's out there?
Craig Williams: [00:07:09] Well, so, at a really high level, we have the basic fingerprint-scanning technology, right? You just put your finger on a sensor and it magically works. Now, under the covers, there's a lot of different ways that the devices do that. And we iterate through those in the post and discuss how they work. And what I think is really interesting about this is the false sense of security some people had.
Dave Bittner: [00:07:33] Hmm.
Craig Williams: [00:07:33] Now, you know, there's a couple of different kinds of light sensors that people can use, and ultrasonic sensors just to read the ridges. But one of the requirements that a lot of scanners had was a capacitance sensor – right? – to try and detect that real, meaty person behind it that was conductive.
Dave Bittner: [00:07:48] Mm-hmm.
Craig Williams: [00:07:50] And so, through our trial and error, we had to try lots of different materials to make the fake print. So, we 3D printed a mold, and then used that mold to create a print. And that's the process that was incredibly error prone and took a significant amount of trial and error to find the right type of substance to use. And that's where you will notice we had good luck with – I believe it was fabric glue for the mold, and Plasticine for the actual print itself.
Dave Bittner: [00:08:20] Yeah, it's a fascinating process. So I suppose when you're – you're printing a negative of the actual fingerprint, so that when the mold comes out, that represents the real fingerprint.
Craig Williams: [00:08:33] Right. And so, in the case of the capacitance sensor, what we ended up being able to do is basically – I mean, it's Mission Impossible-style – simply put it over our actual finger and then use that to register a read on the device.
Dave Bittner: [00:08:49] Ohhh, interesting. So you still have that meaty goodness of the actual fleshy human that gives the reader what it's looking for.
Craig Williams: [00:08:59] Right. And if you read a lot of papers on biometric security, a lot of people thought that that would have been something that was much more difficult to defeat. And so, I think that's why it's so valuable to do this type of research – not that we think vendors are trying to mislead people, but because they didn't think of testing it like that. You know, it's just like software development, right? You have your software, you have your QA test cases, your test cases pass. You know, you think you've got all the corner cases. But then along comes somebody else with a new idea and all of a sudden they can find issues that perhaps you missed. And this is very much the same thing.
Dave Bittner: [00:09:32] What about the actual collection of the fingerprints themselves? What was involved there?
Craig Williams: [00:09:38] Well, so, that's actually a really fun one. We had a couple of different methods of collection, right? The very first one we wanted to talk about was direct collection. And without picking on any specific vendor, you know, I think lots of people are aware that when, you know, certain mobile devices are prototyped, the employees test them. And they may run around town with them, and perhaps even engage in recreational activities with these mobile devices that may be secured with a biometric-based authentication. And so, you know, for a direct collection case, we wanted to think, well, what happens if someone is, let's say, completely pliable? You can view it as them being willing to help you or them being unconscious and you just grab their finger. So, direct collection of the print and then try to use that. So, that was method one.
Craig Williams: [00:10:27] The second one was really what we envisioned happening during the scenario I mentioned at the beginning – if you're going through customs. And so, customs in a lot of countries will take a fingerprint scan – you know, I think they use that now for global entry in the US. And so we thought, well, if you take it using that method, what's possible to build from a reproduction standpoint, using what that's recording? And so that was really our second method.
Craig Williams: [00:10:53] And the third approach was just via a third-party object, right? Find a thing that somebody left behind.
Craig Williams: [00:11:00] And so, I think this is really what's important for people to realize – that from my perspective, the security provided by a fingerprint is not too dissimilar from that provided by, like, a Social Security number, right? It's not secret. It might be unique-ish, but it is not really something that you should rely on for one-hundred-percent security. Instead, I think you can view it as providing good enough security.
Dave Bittner: [00:11:32] Yeah. I mean, my take when when when Apple came out with Touch ID – I think we saw a lot of people adopting it, using it because it was so easy to use and fast and relatively frictionless. And in my mind, that was the transition – what we captured there, where a lot of people who weren't using any password at all on their phone because it was a pain to put the – you know, the number in. Now, all of a sudden all these people are using something, even if it's not perfect.
Craig Williams: [00:11:59] Well, and that's why I want to make sure that when we discuss this, the way that we frame it is something that everyone walks away with. What we've proven here is that biometric authentication is not perfect, right? It's not a magic bullet. You're not secure from super hackers or, you know, amazing criminals. But very much like a front door lock or a home security system, it meets the threat model for most users. If you're comfortable with an off-the-shelf door lock at Home Depot and you have your computers in your house, you're fine. (Laughs) You know?
Dave Bittner: [00:12:30] Yeah.
Craig Williams: [00:12:30] Alternatively, if you have, you know, let's say things on your phone, intellectual property that you keep locked in a vault – number one, you shouldn't be using biometric security. And number two, you should perhaps go into your settings menu right now and switch over to password-based authentication and turn on multifactor authentication. You know, think of it like using a home security system to defend against a world famous cat burglar or a nation-state. You know, any security system, no matter what you pay, is not going to be a large impediment to those groups, to those well-funded groups. On the other hand, for your typical average everyday person, it's more than adequate. It will keep out criminals, it will secure your device, and the ease of use is through the roof.
Dave Bittner: [00:13:19] Yeah. Now, having gone through this exercise and learning what you all learned, how difficult would it be for you to do this now, knowing what you know?
Craig Williams: [00:13:31] So, the actual process, we understand, we know how to do it. But the trial and error involved in getting usable prints molded and reproduced would still be there. Now, it's possible that if we invested a significant amount of money, this could be streamlined. But I think that the barrier to entry is still high enough that this is not something the everyday user needs to be concerned about.
Craig Williams: [00:13:54] Now, I do want to be transparent here. If you look at our results, there seems to be a very clear choice that was made during the design of these sensors on various manufacturers.
Dave Bittner: [00:14:06] Hmm.
Craig Williams: [00:14:07] Right? So think about the way fingerprints live in this world – well, okay, not today – but like three months ago...
Dave Bittner: [00:14:15] (Laughs)
Craig Williams: [00:14:15] ...Think about the way your fingerprints live. You know, you're at work. You're hitting a keyboard. You go to the gym. You're rubbing off your fingerprints. Maybe after work, you dig a hole. And then all of a sudden you've got to unlock your phone to say, get in your car, right? Maybe you have a Tesla. Well, your fingerprint has been ground off at the gym, ground off digging a hole, you know, potentially rubbed away at work. And so what you have is a reduced quality compared to the one that perhaps you set in the morning when you woke up.
Dave Bittner: [00:14:44] Hmm.
Craig Williams: [00:14:44] And so, what these vendors have to choose from is basically a bar of accuracy versus ease of use. And I think we can all agree that while fingerprint security is important, the main draw of biometrics and the reason that so many people are dependent on it is because it is so easy to use. You know, the first time I have to start scanning my fingerprint three, four, five times to unlock my phone, I'm just going to go back to a password. Because it'll work the first time and it's going to take the same amount of time for me to key in, like, twenty characters, as scan, wait, scan, wait, scan, wait.
Dave Bittner: [00:15:23] You know, one of the things that caught my eye in your blog post here is how much your success was dependent on the mold getting the scale right. Like, that seemed to be a really – one of the sensitive elements here of having success.
Craig Williams: [00:15:39] Absolutely. You know, the mold process itself, I think, is the one that was really the biggest hurdle for us. It is one of those things, though, that people do need to realize – that as 3D printing technology advances, as there are automated ways to produce these, this process will get easier. And so, I think it's important that we realize, you know, think about how old fingerprints are, right? They've been used for identification purposes since – oh, man...
Dave Bittner: [00:16:08] (Laughs) A long time, yeah.
Craig Williams: [00:16:09] ...1920s? You know, the Al Capone-prohibition era. And so, for that to work today, in 2020, is amazing. But I think it's important that we know when this 3D printing and scanning and home manufacturing technology is going to reach a level where this is something that we shouldn't be relying on as much.
Craig Williams: [00:16:34] And so, you know, when I look at our research at a high level, I think the take away is simply this – right now, 3D printing technology is vastly improved. Right now, it is possible to defeat most fingerprint-based authentication systems using 3D printing technology available to the home user. It's important to note, however, that it is not easy. It is not something a typical teenager could go grind out in their garage in one afternoon. It will require trial and error. It will require a financial investment. And it will require effort to go do that. And then it will require effort to obtain a fingerprint that's been enrolled on the device.
Craig Williams: [00:17:15] So it's not easy. For most users, fingerprint-based authentication is still perfectly viable from a security standpoint. However, if you have valuable intellectual property on your device that motivated criminal may want to obtain, you should not be using fingerprint-based authentication at this point. You should be looking at using passwords in accordance to best practices with multifactor authentication.
Dave Bittner: [00:17:45] That's Craig Williams from Cisco Talos. The research we discussed today was titled, "Fingerprint cloning: Myth or reality?" We'll have a link in the show notes.
Dave Bittner: [00:18:11] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.