Fingerprint protection is too easy to bypass

A group of Cisco researchers has managed to circumvent the fingerprint protection offered by the largest mobile manufacturers 8 times out of 10.

Securing fingerprint unlocking has been around for the vast majority of smartphones and even entry-level models for years. As of the arrival of TouchID on the  iPhone 5S in 2013, hackers strove to hack this type of authentication located on the round button of the mobile. It only took them 48 hours to get there.

This challenge has become more and more complicated due to the reinforcements of security by the various manufacturers. Today, fingerprints are often used for double-authentication of an account on mobile phones and it is rather effective. It can be said, now everyone is safe from any hacking attempt via these fingerprint security systems . “Everyone”, except perhaps people specifically targeted by pirates with significant means or supported by states. This is what a study reveals just released by the Cisco Talos security group.

With a budget of $ 2,000 a month, they put fingerprint authentication systems to the test on mobile phones from Apple, Microsoft, Samsung, Huawei and the three other major sensor manufacturers found on electronic devices. In the end, out of 20 attempts with each device, in 80% of cases the authentication was successful with false fingerprints very close to the real ones.

From the fingerprints collected and refined digitally, the team created molds printed in 3D on flexible pads to lure the unlocking systems by fingerprint.  © Cisco Talos

0% chance with Windows 10

If this hacking is possible and effective enough, the team explains that it was necessary to make more than 50 molds of fingerprints before a single one works with this level of result. The experiment took place over several months. Suffice to say, it is really not within reach of all pirates

First, get fingerprints from the target and design the fingerprint templates. This requires such determination that the target must be of great importance in order to wish to access the content of their device. It is for this reason that pirate groups supported by entities with large means or States would be the only ones likely to carry out the operation.

Whether iPhone or other mobile, the numbers were quite similar. Some models, such as the Honor 7x or the Samsung Note 9, have been able to be unlocked systematically. Overall, the more recent the models, the more attempts were needed. 

In all cases, this means that the probability of accessing the content of a mobile before it is blocked by code is very high. In addition to mobiles, only two USB keys secured by a sensor refused all attempts to unlock with the false fingerprint. The computer they were securing was powered by Windows 10 . For researchers, it is thanks to the algorithm of comparison ofthat security has been strengthened. But for them, that does not mean that it is impossible. It would just take a little more time and resources to get there.