The process takes a short amount of time, and costs less than $7.
In the pursuit of keeping your devices secure, we have begun to juggle any number of PIN codes, passwords, and other biometric data to try and ensure the hackers stay away from our most personal data held on our phones and other devices.
In the place of papers full of different, complicated passwords, or reliance on a password manager that sometimes feels like it can hold the keys to the entirety of our lives if it were hacked or breached, we have started as users to embrace the idea of fingerprint data.
The theory behind it is simple: our fingerprints are unique, and have been used to try and identify people who commit crimes with stunning accuracy for decades. So the hope is that they can also help ward off criminals by making sure they can’t be spoofed.
When theory meets practice
That’s the theory behind a whole slew of fingerprint-based sign-on processes, including Apple’s Touch ID and plenty of other options. But now a new investigation by Kraken Security Labs, a team of security researchers that aims to protect and grow the cryptocurrency ecosystem, has blown a hole in what was considered a pretty useful line of defense against hackers.
The researchers have discovered a method to spoof fingerprints using wood glue and a photograph that can cost less than $7 to work while also compromising your account.
“Fingerprint authentication provides a lot of comfort for a lot of users, a high sense of security. In reality, however, we leave fingerprints wherever we go. A photo of that fingerprint is all a hacker needs to copy it,” says a spokesperson for Kraken Security Labs.
How it works
The range of fingerprints we leave on devices thanks to the natural oils on our skin – or the food we eat that’s left on our hand – is often the blight of anyone who wants to keep their device’s screen pristine under light. But those smudges and smears are also manna from heaven for hackers, who are able to utilize them to gain access to our devices through a relatively rudimentary method.
The hackers are able to take a photo of a fingerprint that’s left on a screen.
They can then run it through any image editing software to produce a near-perfect negative of the whorls and whirls that define our fingerprints. From that, they then print the image onto an acetate sheet using a laser printer.
The toner used in laser printers, which is transferred to the sheet using charged particles, leaves a nearly imperceptible 3D structure of the fingerprint on the sheet onto which it is printed. Those bumps and crevices in our fingerprints are the giveaway signs that unlock the secrets of our identity.
Bringing the hardware in
From there, it’s a simple process. The negative image of the fingerprint has bumps where there are divots in our finger, and valleys where there should be ridges. By applying a dab of cheap wood glue over the 3D negative, the glue settles in the gaps, and represents the reality of the fingerprint as it should be.
Now that the false fingerprint is set in wood glue, all that’s needed to do is peel it off and try to unlock a phone.
The researchers claim every device can be unlocked using this method, and have demonstrated the ability to unlock MacBook Pros in videos accompanying their claims.
“A fingerprint should not be considered a secure alternative to a strong password. Doing so leaves your information — and, potentially, your crypto assets — vulnerable to even the most unsophisticated of attackers,” says the spokesperson.
“It should be clear by now that, while your fingerprint is unique to you, it can still be exploited with relative ease. At best, you should only consider using it as second-factor authentication (2FA).”