NorthSec 2020 (Online Edition)

High speed fingerprint cloning: myth or reality?
2020-05-15, 11:50–12:35, Twitch

During this presentation, we will explain how the democratization of resin 3D printers impacts the fingerprint cloning. And the security implications on devices such as phones, laptops or padlocks.


Fingerprint scanners have become a default feature on most mobile devices. They give users a sense of security and are usually a convenient way to unlock a mobile device.

But all of this biometric data can be a security risk. Suprema Corp. was in the news earlier this year when it was discovered the company exposed more than 1 million users’ biometric information, including fingerprints and facial recognition data. It is unclear if the data allowed attackers to reconstruct users’ fingerprints, or if any of the data was exfiltrated Still, this information was sure to be attractive to threat groups.

In July, news broke that China was installing malware on tourists’ phones. So we started to wonder how hard would it be to silently install malware into users’ devices silently.

We wanted to find out how much time is needed to go from fingerprint scanning to malware deployment on mobile devices. Could it be fast enough to be the equivalent of someone being stopped at the border having their fingerprints scanned during an interview while their devices are in the “x-ray machine”? Or would the amount of time needed to be a couple of hours? In this real-world scenario, time is only important for foreign opportunistic targets. Most country’s citizens will have their fingerprints on file, meaning that everything can be prepared in advance. Fingerprint authentication — like other biometric authentication mechanisms — has been broken before. Now that it’s grown in popularity, it’s time to test how to bypass the authentication, and more importantly, test a real-world attack scenario and the level of sophistication needed to execute it. Finally, our research showed that technology has not advanced enough to be considered generally safe. These practical attacks don’t require state-level resources to be executed, they can be performed by motivated attackers with a budget under $2,000.