A regular inkjet printer can be used to spoof smartphone fingerprint scanners

by: Kris CarlonMarch 7, 2016
1.4K

samsung-galaxy-s6-edge-fingerprint-scanner-aa-1

As the entire smartphone industry moves toward making fingerprint scanners the default biometric security method, researchers at Michigan State University have demonstrated a major problem with the security measure. A regular inkjet printer using conductive inks can be used to print fingerprints on paper and unlock fingerprint scanner-equipped phones including the Galaxy S6 and honor 7.

nexus 5x first look aa (22 of 28)See also: 87% of Android devices are insecure due to lack of security updates73

In an incredibly unnerving video, the researchers demonstrate how easily prints lifted off the phone itself can be printed out with an everyday printer and used to unlock the devices. The scariest part of this demonstration is that the phones are unlocked with a piece of paper. It works because the researchers use a conductive ink and paper by a company called AgIC. The entire process can reportedly be completed in 15 minutes.

As the researchers note, the original fingerprint spoof method pioneered by Germany’s Chaos Computer Club on the iPhone 5s used a time-consuming manual method for creating a 2.5D print out of wood glue or latex milk. This new technique simply prints a copy of the lifted fingerprint (after it has been flipped horizontally) onto AgIC paper.

As the researchers note: “this experiment further confirms the urgent need for anti-spoofing techniques for fingerprint recognition systems, especially for mobile devices which are being increasingly used for unlocking the phone and for payment.” Fortunately, the researchers admit that the method cannot be used to unlock all phones, but warn that as OEMs improve anti-spoofing techniques, so too will hackers develop improved hacking strategies.

Do you use a fingerprint scanner? How secure did you think they were?

  • Gangsta101

    Holy Wow! And I just encrypted my phone thinking the cops would never be able to get to it, damn!

    • balcobomber25

      Seems like you have bigger issues to worry about lol.

    • onstrike112

      Cops can forcibly make you unlock a device without a warrant, if you use a fingerprint scanner. Not true with a pin or passcode, as you can “forget” a pin/passcode.

      • Gangsta101

        Yeah. I do know that. But not if u force restart the phone you are asked. (Yeah I know, just dreaming out loud)

        • onstrike112

          That’s assuming they don’t tackle you to the ground first, brutalize you, and slam you on the car hood, while arresting you. I’m SURE you’re thinking “better lock down my cell phone” during that.

          • Gangsta101

            Awww man! That’s really graphic. But u made ur point since the first post. I’m going back to pin/pattern

          • onstrike112

            I apologize for it being graphic, but it’s true that it might happen, and why being secure is important, because we as people aren’t secure 100% of the time.

  • saksham

    lol i once placed my thumb on a chewing gum and tried it on the sensor

    it didnt work

    • Happy

      You have to flip the image. Like this you’re trying to read a mirror image of you fingerprint.

    • Fred

      Seems like someone watched Mac Gyver

  • Roby

    Fingerprint scanners are secure enough to keep nosy friends, family and kids out. Besides, a Samsung smartphone will never truly be yours unless you also know the accompanying passwords.
    You’re also free to move your sensitive data and apps into a password protected Knox environment for example for added security.

  • Amit Majumder

    That why you need swipe based scanners!!! :P

  • balcobomber25

    If someone wants to go through that much trouble to read my facebook messages and look at my picture I will save you the trouble and unlock it for you. For me the fingerprint is more of a convenience feature, I would never keep anything sensitive on my smartphone.

    • As the article mentions, mobile payments are a big reason why this is a problem.

      • balcobomber25

        I don’t store any credit card info on my phone so I am not worried about that.

        • John Doe

          My son can unlock his bank account app using his finger (on an Apple iphone)..
          So scary .. What do iPhones do that Samsung, etc cannot?

          • onstrike112

            Nothing, but they all share that fingerprint scanner in common. It’s a security flaw. My BlackBerry doesn’t have such a scanner, because they’re insecure. This just drives the point home.

          • John Doe

            because they are insecure ?? Or are they Secure (overly so ..)

          • onstrike112

            How are they secure at all? Cops can forcibly unlock your device, and an inkjet printer can hack a fingerprint reader

          • John Doe

            Ok, re-read comment again (it can be taken 2 different ways based on reading ..)
            I thought you said that BB was insecure … my-bad .. lol

          • onstrike112

            Fair enough. Fingerprint scanners are insecure, and the BlackBerry Priv that doesn’t have one is more secure than the Galaxy S6 or S7, because it DOES have a fingerprint scanner.

    • Happy

      Yes, I have about 30 close shots of my nuts. I’m sure any self respecting criminal will be rushing to unlock my phone to have a look at them. Lol

  • NightMean

    What about the new Qualcomm technology ? The 3D scanning which it’s used in LeTV Le Max Pro,that shouldn’t be that easy to bypass right ?

  • King_Android

    Or wait until that person falls asleep and use their finger to unlock it. Lol

    • Or just cut off their finger, and you will have a permanent way to unlock it!

      • JRomeo

        the finger will eventually decompose.

      • EasyCare

        It doesn’t work.

  • Nallaikumaran

    What the fuck that? It’s an old news. Check out video and Pdf file (Date). What’s the point here? Are you searching for the Samsung bad news? (Old news). The Apple’s cowards campaign against Samsung (New S7). Thanks to the writer for showing us how dumb Apple supporters really are and how easily it is to fool them. In fact, Kris Carlon is an Apple fanboy.

    • Kody

      Wait how are the dates significant?

  • SnakeSplitskin

    So basically, someone who wants to go into the mobile phone & financial data theft business the hard way would have to:

    1) buy this special AgIC paper
    2) invest in high-res ink-jet printers
    3) invest in fingerprint lifting kits
    4) learn about how to lift fingerprints

    5) learn about how to print high-res images
    6) learn Photoshop
    7) Buy Photoshop
    8) Go into the business of stealing phones (and accept all the risks of that venture)
    9) Learn methods of stealing phones undetected
    10) buy a safe-house where all the stolen phones will be taken to be fingerprint hacked to avoid having their own home identified and located via the “find my phone” security features.

    11) Hope that victims don’t use the “find my phone” security featues
    12) hope that victims haven’t remotely taken photos, video, and audio recordings of you after you’ve stolen their phones

    13) begin process of removing fingerprints, print fingerprints, and then use printout to open phone
    14) hope that after all this effort the debit & credit cards haven’t already been reported stolen OR hope that the phone hasn’t been remotely wiped.

    As you can see, this article is creating concern and alarm where there is no concern or alarm. The biggest threat to fingerprint scanners is at the moment the phone is stolen because that’s when you’ll more than likely get your finger cut off by thieves who are absolutely committed to breaking into your phone.

    • onstrike112

      Or, alternatively, have the paper, the printer, the fingerprint kit, know how to use them, have Gimp/Photoshop, know how to use it, because you’ve planned this in advance. Grab someone’s phone because they do get left out places. I’ve had to tell someone to remember their phone before. It happens. Most of the time they don’t realize they’ve left it somewhere. Get the fingerprint lifted quickly, print it out with the know-how and equipment you have. Unlock phone, turn off location services. Extract data and credit card information.

      • SnakeSplitskin

        Before this article, no one in the phone/data stealing business has the paper already. More than likely they aren’t Gimp or Photoshop experts. If they are experts, how many graphic designers do you know that are willing to go into the phone/data theft business just because they have the photo manipulation software, printer, and know how to use them? As for lifting fingerprints, this isn’t something that can be done quickly. You first have to find the right smudgeless print. Good luck with that. Furthermore, how lucrative is it to be in Starbucks on your laptop working while also keeping an eye out for someone to leave their phone on the table while they go pick up their order? That would be incredibly risky to reach over to grab the phone while others are watching and with the whole place under camera surveillance. Also add to that your laptop is probably connected to the network leaving additional identifying information about you. All of that risk just so you can nab someone’s phone and hope that you can get the prints, access the phone, and turn off the location setting before it triangulates your position. Good luck with that too.

        • onstrike112

          Doesn’t mean it’s impossible, therefore fingerprint authentication is a bad way to secure devices. In addition to how police can force you to unlock your device without a warrant. Unlike a pin or even a pathetic pattern. You can’t “forget” your fingerprint. You can, however forget a pin/pattern.

          • SnakeSplitskin

            In my opinion criminal endeavors are a complete waste of time yet we do see time and again fools utilizing their time in such endeavors. So yes, it is very possible for someone to do this and ignore the inherent risks or maybe even mitigate some or most of the risk.

            Using a pin is better than fingerprint because it doesn’t appear that just anyone can find a work-around to get past pin protection. The U.S. Supreme Court has already concluded that the police can not compel you to unlock your smartphone without a warrant nor can they access your smartphone without a warrant. This might not be the case in other countries.

    • Kody

      Or just drug the person and unlock the thing.

      • SnakeSplitskin

        Okay, so to effectively drug someone that you know has a smartphone and uses Apple Pay, Android Pay, or Samsung Pay, that means that you ‘d have to know your victim personally and they know you. So after they wake up they will immediately know it was you who drugged them. Hmm,this just doesn’t seem to be a good plan.

        • Kody

          When you attempt to rob someone you don’t know if they even have money before hand.

          • SnakeSplitskin

            True. But it doesn’t take much time or effort to figure out that they don’t have any money. Knock someone over their head and check their pockets-you’re in and out within 15 seconds. Pick-pocket someone, open their wallet, toss their wallet in the trash all in less time than knocking them out. Rob them at gun or knifepoint and ask them to empty their pockets and you’re still looking at a 30 second or less encounter.

            Compare that to stealing a phone that someone leaves behind at a coffee shop. You basically have to sit and wait for someone to actually leave their phone unattended. To be lucrative, this would have to become a full-time endeavor. But if all you’re after is the debit/credit card mobile payment thing, then add the time it takes to wait and obscond a smartphone to the time it will take to find and lift a fingerprint, print it properly, then unlock the phone. The advantage of finally unlocking the phone is:
            1) you’ll have credit card numbers you could sell
            2) you could go on a quick shopping spree (in hopes that cameras don’t video tape you during the transaction)
            3) possibly get cash back on those debit transactions
            4) have a nice smartphone to sell on the black market

          • Kody

            Ok, what is your point here?

          • SnakeSplitskin

            what was the point with you saying “When you attempt to rob someone you don’t know if they even have money before hand” ?

          • Kody

            Ok, misread that. I still think drugging someone would be simpler. Stakeout a coffee shop or bar for guy. Have a pretty girl lure him into drinking then drug him or get him really drunk when he passes out then take his phone. You get more phones than sitting and waiting for someone to forget the phone.

          • SnakeSplitskin

            so now you’ll have to share the spoils with one other person plus go through the an entire evening just to sack one smartphone. You won’t be able to get the phone until your victim passes out somewhere other than the bar. And you have to have access to quaaludes.

  • Fred

    Apple should send this video to the FBI. It will avoid a lot of drama :)

    • monsterdonutkid

      It was an iPhone 5c.

  • Choda Boy

    I wonder of the FBI or Apple tried this on the terrorist’s phone?