Hacking fingerprints is affordable and simple, says Kraken Security

Polycount

Posts: 3,017   +590
Staff member
Not so secure: There are few forms of data protection that are more secure than fingerprint authentication... Right? You'd certainly think so -- that's what companies and security pros have told us for years, after all. However, as it turns out, fingerprint spoofing might be considerably easier than heist movies would have you believe. According to Kraken Security Labs, all you need is a bit of wood glue, a laser printer, and an acetate sheet.

The cryptocurrency trading company published a report describing how the "hack" can be done over on its official blog a few days ago. The items you'd need to pull it off are affordable, and the steps are simple enough that virtually anyone could pull them off, provided they have the motivation to do so, which is a pretty frightening thought.

So, how does it work? First things first, a potential hacker needs your fingerprint -- or, to be more accurate, a photo of your fingerprint. They don't actually need physical access to anything you've touched, only a picture of, say, a smudge mark on a laptop screen or a reflective desktop keyboard. Kraken also gives examples like tables at a local library or gym equipment.

In either case, once a reasonably-clear photo has been acquired, you'd need to create a negative in Photoshop -- Kraken says its team was able to create a "decent" one in about an hour.

Next, Kraken printed the negative image onto an "acetate sheet" using a standard laser printer. The toner, according to the company, mimics the 3D structure of a real fingerprint. The next and final step is to grab some wood glue from your local hardware store, squirt some over the top of the faked fingerprint, and let it dry. You can peel it off later, and there you have it: a (hopefully not) working fingerprint copy.

Obviously, we would not advise anyone to go out and do this but according to Kraken, it was able to perform this "well-known attack" on the "majority" of devices its team members had available. As the company notes, if this was a real attack and not a controlled experiment, the implications could be devastating for a victim.

With that said, it's not all doom and gloom. Fingerprint authentication should be just one layer of an ideally multi-faceted approach to data and account security. You should also have a strong password and (non-SMS) two-factor authentication -- the latter would prevent fingerprint hacks from being a problem in the first place.

Well, most of the time. Unfortunately, some apps allow users to bypass 2FA with a fingerprint sign-in, so in those cases, it would actually be more secure to shut off the latter entirely and rely only on 2FA and a strong password.

Masthead credit: George Prentzas

Permalink to story.

 

VitalyT

Posts: 6,413   +7,232
Yeah, we know...

marvel.png

 

psycros

Posts: 4,465   +6,661
Their right about this being a well-known attack. Its been used for at least 20 years and I've repeatedly posted warnings about it. Of course, there's potentially an even easier to way to obtain that fingerprint: hack a server and the get the files contains that biometric data. You might not even need to reproduce the physical print - you could simply feed the data to the login process if you've gained access.
 

Darth Shiv

Posts: 2,315   +849
Yep... biometrics are not private. It's brain dead. It's well known. What are people going to do? Change their iris? Change their fingerprints? Change their voice? It's stupid. It's such a time limited vector for convenience in lieu of security. Just stop doing it. It can't last long before large numbers of people are compromised permanently.
 

RaXelliX

Posts: 64   +47
Yep... biometrics are not private. It's brain dead. It's well known. What are people going to do? Change their iris? Change their fingerprints? Change their voice? It's stupid. It's such a time limited vector for convenience in lieu of security. Just stop doing it. It can't last long before large numbers of people are compromised permanently.
And when biometrics leak they are out there forever. If a password leaks it's easy to change.
That is why I refuse to use biometrics for identification on any of my devices. And was VERY unhappy that a covernment ageny had a mandatory fingerprint scan in order for me to get a new ID. Now my fingerprints are stored in some database that sooner or later leaks.