To understand how they conducted these attacks, we need to look at a number of steps involved. Firstly is the collection of the fingerprints themselves which were done in multiple ways depending on different situations:
- Direct collection in the scenario where the victim has no control over their body and their fingerprint can be taken from them without their consent.
- Using a sensor that is found normally at airports when checking into immigration or during the boarding process.
- Lifting the fingerprint from an object the victim touched. For example, one could use a glass someone laid their hands on to extract the fingerprint.
Once collected, the fingerprint is used to create a mold with the help of a 3D printer which is then finally cast on a variety of materials with the handiest being silicon and fabric glue.
Yet the process was by no means easy. For example, elaborating on one of the issues faced, the researchers from Cisco Talos stated how:
..the resin used by a 3-D printer needs to be cured after the printing. The curing is mandatory to make the object solid and remove the toxicity of the resin.
…Due to this parameter, we need to print more than 50 molds, create a fake fingerprint with them and compare the results and sizes with a fingerprint sensor in order to have a valid mold and, by consequence, a valid fake fingerprint.
Here’s how it works:
The devices compromised included the following:
- Apple iPhone 8,
- Samsung S10,
- Samsung Note 9,
- Huawei P30 Lite,
- MacBook Pro 2018,
- iPad 5th Gen,
- Samsung Note 9,
- Honor 7X,
- AICase Padlock.
However, some resisted too:
- Samsung A70 – the researchers mention though that it also had a lower authentication rate for real fingerprints too as compared to other devices.
- Lexar Jumpdrive Fingerprint F35.
- Verbatim Fingerprint Secure.
In addition to this, all Microsoft Windows and Windows Hello based sensors were also found to be safe, but the reasoning behind is unknown at the moment. Perhaps, this is one of those moments where contrary to what happens usually, Windows is ahead of the macOS in terms of security.
To conclude, the entire project was carried out under a budget constraint of $2000 intentionally and took several months. The former hints at the fact that even though a normal attacker may not utilize such resources to attack someone, state-sponsored actors can, placing the privacy of high profile actors such as whistleblowers, politicians and media personalities under threat.
As a result, it is recommended that additional security measures are employed such as strong passwords and only fingerprints should not be relied on.
The latter on the other hand lets us know that despite the vulnerability of fingerprint technology and the 80% success rate that accompanies it, such attacks require patience and would not be applicable in fast-moving operations today.