CyberWire Daily - Fingerprint authentication is not completely secure. [Research Saturday]
Episode Date: May 2, 2020Passwords are the traditional authentication methods for computers and networks. But passwords can be stolen. Biometric authentication seems the perfect solution for that problem. Our guest today is C...raig Williams, director of Talos outreach at Cisco. He'll be discussing and providing insights into their report which shows that fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication. The research can be found here: Fingerprint cloning: Myth or reality? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Since the fingerprint space became something that the everyday home user was involved in,
there's been a lot of fear, uncertainty, and doubt around it.
That's Craig Williams. He's head of Talos Outreach at Cisco. The research we're discussing today is titled Fingerprint Cloning, Myth or Reality?
We've seen lots of reports around people being able to defeat Touch ID,
but we haven't really seen any that really laid down all the methodologies
and the way that the samples were collected and how long it took
and how effective they were across multiple vendors.
And so when we approached this project, the thing that we were wondering is,
let's assume a worst case scenario.
You know, my team travels all the time, going around the world, giving lectures at security conferences.
And so we thought, well, what happens if you have a mobile device with you that's secured with a fingerprint-based authentication system?
And when you're going through customs, passport controller, someone would like your phone for a while.
You know, like, is it feasible for that
security to be defeated? Or do you have nothing to worry about? You know, what actually is the
threat model that you should be worried about? Right, right. So how did you get started? Where
did you begin? Talos has its figures in everything. We look at hardware from everyone and anything,
anything from a mobile device to, you know, large, expensive medical devices to very specialized ICS equipment.
So it was very much in our arc of interest.
And I think really one of the main things that drew me to this is it's not often that we get to do security research that benefits the home user.
How often do we get to tell your non-technical friends or your parents or whoever,
hey, you know what? You don't need to worry about something. So when those rare opportunities
present themselves, we would like to be there and we would like to be there with evidence and facts.
Yeah, fair enough. Well, let's go through your process here. How did you begin by sort of taking
the lay of the land of the different types of fingerprint technologies that are out there?
Well, really the first thing we did is we looked at the problem space, right?
So, you know, at a high level, what is a fingerprint?
You know, what are the systems available to duplicate it?
And then what are the systems available to replicate it?
And then what technologies exist to prevent you from doing that?
to replicate it and then what technologies exist to prevent you from doing that.
When you look at it, we're actually to a point from a technological standpoint where 3D printing is right on the cusp of making fingerprint-based authentication questionable.
And what I mean by that specifically is if you look at a fingerprint just at a physical
level, most fingerprint ridges are a couple hundred microns across. For the budget for this project, we didn't want it
to be something outrageous, right? And we obviously could have funded it heavily and had amazing
results. But we said, you know, what is the average, let's call it motivated, but perhaps
not nation state actors budget going to be. And so we thought a few thousand dollars was in the
ballpark. And so we looked at spending about $2,000 for the entire project. And so when you look at the printers
available to the home user in that space that are the highest resolution possible and really
produce the results we want, you end up looking at the 3D printers that basically use IR to cure
a medium and you've got to have a wash station for it,
and it prints in layers.
Not incredibly dissimilar from the filament-based ones
I'm sure most people are aware of,
but really just a twist on the technology
over to using light to effectively cure the material.
And that's where you get the precision that you need
to be able to reproduce something like a fingerprint.
The resolution is actually quite a bit higher.
Now, I want to be sure that we pair that with the other reality of this, right?
For those of you involved in 3D printing, we all know that what we want to print and what comes out is not always what we would have liked to have come out.
And what I mean by that is often you get a little imperfection.
And if I'm building a plastic toy for the children
or a container, it doesn't matter so much.
If I'm building a piece of PPE for a hospital employee
to protect their face, like a face shield,
it doesn't matter if it has a little bump on the side.
But if I'm making a mold for a fingerprint, it matters.
And so this is really where a lot of the effort came in.
The cost from just a cost of goods perspective was low, relatively speaking.
But from a time investment standpoint and from an expertise standpoint, it was very high.
and from an expertise standpoint, it was very high.
It took weeks and multiple, multiple, multiple attempts to get good molds to use for this.
I think at one point, Paul mentioned dozens of attempts.
You'll notice if you look at the blog post on talusintelligence.com,
we actually have a picture of the bin of rejects.
And it's a reasonable size.
Yeah, yeah, absolutely.
Well, let's go through the various types of technology
that the device manufacturers are using
to enable this functionality.
What's out there?
Well, so at a really high level,
we have the basic fingerprint scanning technology, right?
You just put your finger on a sensor and it magically works.
Now, under the covers, there's a lot of different ways
that the devices do that.
And we iterate through those in the post
and discuss how they work.
And what I think is really interesting about this
is the false sense of security some people had, right?
Now, there's a couple of different kinds of light sensors
that people can use and ultrasonic sensors
just to read the ridges.
But one of the requirements that a lot of scanners had was a capacitance sensor to try and detect that real meaty person behind it that was conductive.
And so through our trial and error, we had to try lots of different materials to make the fake print.
So we 3D printed a mold and then used that mold to try lots of different materials to make the fake print, right? So,
we 3D printed a mold and then used that mold to create a print. And that's the process that was
incredibly error-prone and took a significant amount of trial and error to find the right
type of substance to use. And that's where you will notice we had good luck with,
I believe it was fabric glue for the mold and plasticine for the actual print itself.
Yeah, it's a fascinating process. And so I suppose when you're printing a negative of
the actual fingerprint so that when the mold comes out, that represents the real fingerprint.
Right. And so in the case of the capacitance sensor, what we ended up being able
to do is basically, I mean, it's Mission Impossible style, simply put it over our actual finger
and then use that to register a read on the device. Oh, interesting. So you still have that
meaty goodness of the actual fleshy human that gives the reader what it's looking for.
Right. And if you read a lot of papers on biometric security, a lot of people thought
that that would have been something that was much more difficult to defeat. And so I think that's
why it's so valuable to do this type of research. Not that we think vendors are trying to mislead
people, but because they didn't think of testing it like that. You know, it's just like software development, right? You have your software, you have your QA test cases, your test
cases pass, you know, you think you've caught all the corner cases, but then along comes somebody
else with a new idea, and all of a sudden they can find issues that perhaps you missed. And this is
very much the same thing. What about the actual collection of the fingerprints themselves? What
was involved there?
Well, so that's actually a really fun one.
We had a couple different methods of collection, right?
The very first one we wanted to talk about was direct collection.
And without picking on any specific vendor,
you know, I think lots of people are aware that when,
you know, certain mobile devices are prototyped,
the employees test them.
And they may run around town with them
and perhaps even engage in recreational activities
with these mobile devices that may be secured
with a biometric-based authentication.
And so for a direct collection case,
we wanted to think, well, what happens
if someone is, let's say, completely pliable?
You can view it as them being willing to help you
or them being unconscious and you just grab their finger.
So direct collection of the print and then try to use that.
So that was method one.
The second one was really what we envisioned happening
during the scenario we envisioned at the beginning
of if you're going through customs.
And so customs in a lot of countries will take a fingerprint scan.
I think they use that now for global entry in the U.S.
And so we thought, well, if you take it using that method,
what's possible to build from a reproduction standpoint
using what that's recording?
And so that was really our second method.
And the third approach was just via a third-party object, right? Find a thing
that somebody left behind. And so I think this is really what's important for people to realize,
that from my perspective, the security provided by a fingerprint is not too dissimilar from that
provided by like a social security number, number. It's not secret.
It might be unique-ish,
but it is not really something that you should rely on for 100% security.
Instead, I think you can view it as providing good enough security.
My take,
when Apple came out with Touch ID,
I think we saw a lot of people adopting it, using it because it was so easy to use and fast and relatively frictionless.
And in my mind, that was the transition.
What we captured there were a lot of people who weren't using any password at all on their phone because it was a pain to put the number in.
Now, all of a sudden, all these people are using something,
even if it's not perfect.
Well, and that's why I want to make sure that when we discuss this,
the way that we frame it is something that everyone walks away with.
What we've proven here is that biometric authentication is not perfect.
It's not a magic bullet.
You're not secure from super hackers or amazing criminals.
But very much like a front door lock or a home
security system, it meets the threat model for most users. If you're comfortable with an
off-the-shelf door lock at Home Depot and you have your computers in your house, you're fine.
Alternatively, if you have, let's say, things on your phone, intellectual property,
that you keep locked in a vault,
number one, you shouldn't be using biometric security.
Number two, you should perhaps go into your settings menu right now
and switch over to password-based authentication
and turn on multi-factor authentication.
Think of it like using a home security system
to defend against a world-famous cat burglar
or a nation-famous cat burglar or a nation
state. Any security system, no matter what you pay, is not going to be a large impediment to
those groups, to those well-funded groups. On the other hand, for your typical average everyday
person, it's more than adequate. It will keep out criminals, it will secure your device, and the ease of use is through the roof.
Yeah. Now, having gone through this exercise and learning what you all learned, how difficult would it be for you to do this now, knowing what you know?
So, the actual process, we understand, we know how to do it, but the trial and error involved in getting usable prints molded and reproduced would still be there.
Now, it's possible that if we invested a significant amount of money, this could be streamlined, but I think that the barrier to entry is still high enough that this is not something the everyday user needs to be concerned about.
Now, I do want to be transparent here.
user needs to be concerned about. Now, I do want to be transparent here. If you look at our results,
there seems to be a very clear choice that was made during the design of these sensors on various manufacturers. So think about the way fingerprints live in this world. Okay, not today, but like
three months ago. Think about the day your fingerprints lived.
You know, you're at work, you're hitting a keyboard, you go to the gym, you're rubbing off your fingerprints. Maybe after work, you dig a hole. And then all of a sudden,
you've got to unlock your phone to say, get in your car, right? Maybe you have a Tesla.
Well, your fingerprint has been ground off at the gym, ground off digging a hole,
you know, potentially rubbed away at work.
And so what you have is a reduced quality compared to the one that perhaps you set in the morning
when you woke up.
And so what these vendors have to choose from
is basically a bar of accuracy versus ease of use.
And I think we can all agree that while fingerprint security
is important, the main draw
of biometrics and the reason that so many people are dependent on it is because it is so easy to
use. You know, the first time I have to start scanning my fingerprint three, four, five times
to unlock my phone, I'm just going to go back to a password because it'll work the first time.
And it's going to take the same amount of time for me to key in like 20 characters, a scan, wait, scan,
wait, scan, wait. You know, one of the things that caught my eye in your blog post here is how much
your success was dependent on the mold getting the scale right. Like that seemed to be a really,
one of the sensitive elements here of having success.
Absolutely. You know, the mold process itself, I think is the one that was really the biggest
hurdle for us. It is one of those things though, that people do need to realize that as 3D printing
technology advances, as there are automated ways to produce these, this process will get easier.
Right. And so I think it's important that we realize, you know, think about how old fingerprints
are.
Right.
They've been used for identification purposes since, oh, man, what, like the 1920s, you
know, the Al Capone prohibition era.
And so for that to work today in 2020 is amazing. But I think it's important that
we know when this 3D printing and scanning and home manufacturing technology is going to reach
a level where this is something that we shouldn't be relying on as much. And so, you know, when I
look at our research at a high level, I think the takeaway is simply this, you know, right now, 3D printing technology is vastly
improved. Right now, it is possible to defeat most fingerprint-based authentication systems
using 3D printing technology available to the home user. It's important to note, however,
that it is not easy. It is not
something a typical teenager could go grind out in their garage in one afternoon. It will require
trial and error. It will require a financial investment, and it will require effort to go
do that. And then it will require effort to obtain a fingerprint that's been enrolled on the device.
So it's not easy. You know, for most users, fingerprint-based authentication
is still perfectly viable from a security standpoint.
However, if you have valuable intellectual property
on your device that a motivated criminal may want to obtain,
you should not be using fingerprint-based authentication
at this point.
You should be looking at using, you know,
passwords in accordance to best practices with multi-factor authentication.
That's Craig Williams from Cisco Talos. The research we discussed today was titled
Fingerprint Cloning, Myth or Reality? We'll have a link in the show notes. a partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant. teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. Thank you.