How to Beat a Fingerprint Scanner
Some of the fingerprint scanners that protect cellphones, banks and even border crossings can be tricked by new technology that prints wearable hands with detailed fingerprints.
Researchers at Michigan State University wanted to test the quality of fingerprint readers and needed a way to standardize their evaluation. So they created a 3D-printed hand with fingerprints that they could slip on like a glove. But the team quickly realized that their pioneering technology could go awry if it got into the wrong hands.
“As a byproduct of this research, we realized a fake 3D hand, essentially a spoof with someone’s fingerprints, could potentially allow a crook to steal the person’s identity to break into a vault, contaminate a crime scene or enter the country illegally,” Michigan State engineer Anil Jain, lead author of a report about the printing method, said in a press release.
2D hand replicas have been used to test fingerprint scanners in the past, but the 3D version is more accurate. It’s made of a rubber-like material that has similar strength and elasticity to skin, so the material and 3D design more closely mirror the behavior of real skin. Using the same model repeatedly also allows researchers to precisely compare the metrics of each scanner and determine which is best, Jain said. Eventually, calibration could be carried out by robots with 3D-printed hands, testing machines faster and with standardized pressure each time.
3D hands don’t pose too grave a security risk yet because they’re difficult to create. The research team went through an obstacle course of challenges during the study, which was funded by the National Institute of Standards and Technology.
They had to determine which material ideally mimicked skin and had the perfect thickness (Too thin and it would crack; too thick and it didn’t fit.) They had to find a tool to clean the printer’s debris from the fingerprint’s ridges, as well as figure out how to support the printing of a hollow, delicate object. In the end, they printed the base and each finger separately before attaching them. The process was also expensive — the high-resolution printer that the team used cost $250,000.
Another hurdle for crooks is that security systems often use a fingerprint reader as well as security personnel, especially in government systems. “We’ve got a long way to go to improve security but we’ve got reasonable safeguards in place for today,” said Christopher Boehnen, senior program manager at the Intelligence Advanced Research Projects Activity, a federal agency that tackles problems in the intelligence community. Boehnen’s program, Odin, designs systems to prevent attacks on biometric technologies.
Boehnen likens the state of biometric security to the internet in the mid-1990s. People were aware of things like viruses, but they weren’t too prevalent or threatening. That, of course, changed over time. “The technological maturity of both the attack and the defenses is low to moderate at present, but the anticipation is that as we begin to rely on biometric technology more, just like as we began to rely on internet technology more, the attacks are going to increase,” Boehnen said.
“When you’re protecting your Farmville game, criminal enterprises have relatively little motivation to figure out how to attack it. When you’re protecting your bank account, that’s a different story,” he added. To combat increasingly complex attacks, Boehnen’s team uses machine learning to develop intelligent systems that can identify threats the system hasn’t yet been exposed to.
Overall, biometric technologies are here to stay, Boehnen said. Fingerprinting has actually been around for centuries — even in Babylonian times people marked clay tablets with their fingerprints to record transactions. And although innovation in this field will continue, fingerprint scanning remains most prevalent, followed by iris and face scanning, Boehnen said.
Jain hopes to use his 3D hand to highlight security loopholes to manufacturers of scanners, so they can continue to upgrade their technology. High quality scanners on the market today already look out for blood circulating in the finger, Boehnen said, so these efforts are underway. Another solution is for designers and manufacturers to explore the optical characteristics of skin compared to 3D-printed materials to create a safety mechanism. Or they could develop a way for machines to compare the color of skin to polymers, which have limited colors, Jain said.
The relationship between scientists and hackers is like a cat and mouse, Jain said, with each racing to outsmart the other. For now though, the scientists seem to be on top.
“The novelty of the approach and the novelty of the solution are most important to us,” Jain said. “And this research is a lot of fun.”
Abigail Fagan is a graduate of the University of Rochester, where she received a B.A. in brain and cognitive science, with a minor in English literature. She is currently pursuing a masters degree in the Science, Health and Environmental Reporting Program (SHERP) at New York University. This article is provided by Scienceline, a project of SHERP.
CORRECTION: A quote from Christopher Boehnen has been edited from “slow to moderate” to “low to moderate” to correct a reporting error.