MSU scientists proved that you can trick commercial fingerprint scanners with a 3D-printed fake hand.
The finding was incidental to their goal of testing the accuracy of a set of fingerprint scanners like those commonly used in airports, banks, and police stations.
In order to design a consistent and repeatable test for the scanners, they needed a lifelike 3D model. That turned out to be a 3D-printed wearable glove. The intention was to develop a method for testing and calibrating commercial scanners as requested by the National Institute of Standards and Technology (NIST).
Once they began testing the scanners, it became apparent that the fake hand could be used to hack scanners in the real world, and in fact resembled gadgets from old spy movies. A fake fingerprint and reader make an appearance in the 1971 James Bond movie, Diamonds Are Forever.
The use of fingerprint identification has become increasingly popular. Once primarily a tool of law enforcement, fingerprint scans have become common in more mainstream applications like border crossings, national ID programs in some countries, and even as security on consumer cell phones.
Ink-based fingerprinting has faded away and been replaced by live scan devices that read four fingers at once on each hand, and then two thumbs individually. The process is called 4-4-2 and the scanners referred to as slap scanners.
One problem in deploying a large number of scanners is calibration and comparison. Computer science professor Anil Jain undertook a project to develop an improved method for calibrating the devices and evaluating accuracy funded by NIST. He and his group of researchers designed a 3D replica of human fingers for that purpose in the form of a glove with fingerprints on all five fingers.
"My grad student was wearing a glove with all five fingers on it, the first impression was, 'Now you can spoof a fingerprint reader,'" says Jain. "That's an obvious byproduct of this research. Now we can also evaluate what is the capability of the commercial state-of-the-art fingerprint readers to resist spoof hand."
Jain's group evaluated three standard scanners and one contact-free scanner. The spoof hand worked with all of the them. "Our hand, with the fingerprint, can be imaged by all of them. The scanners cannot tell the difference between a live hand and a fabricated hand," says Jain. "We are bringing this to the attention of the vendors."
Jain says if someone is able to acquire a set of fingerprints, and makes a fake hand with those fingerprints, they will have all of the same access privileges as the owner of the prints.
Jain says fingerprint identification technology is not going anywhere, but that it will have to be improved to keep up with the hackers.
"The introduction of any biometric, whether it is face, fingerprint, or iris, also opens the door for imposters to take advantage of this technology," says Jain. "It's always a cat and mouse game. The manufacturers of technology will try to come out with technology that is as spoof-resistant as possible, but then the crooks also come up with better schemes to make the attacks, so the idea is to be aware of what are the potential weakness of any security technology."