If you use your fingerprint to sign in when you start your computer, this is not a 100% secure method.
In the movies, they often quickly resort to cutting off someone’s hand to bypass the fingerprint scanner. The Kraken Security Labs report shows that it would be easier – and less intimidating – to recreate an imprint using a bit of traditional wood glue.
Kraken notes that biometric security is being used more and more, as it is the most convenient and easy to use. It is used by manufacturers of smartphones, as well as tablets and laptops. In particular, fingerprint scanners provide a convenient way to access these devices without entering a password.
The report says the fingerprint scanner can be “hacked” using a user’s fingerprint image, create a negative in Photoshop, print the resulting image and then apply some wood glue to the simulated fingerprint so that it can be used for fraud.
“We were able to perform this known attack on most of the devices our team was available to test,” Kraken said in its report. “If this was a real attack, we would be able to access almost all sensitive information.”
However, Kraken isn’t the only security company to realize that glue can be used to trick a fingerprint scanner. As early as April 2020, Cisco Talos released an in-depth report that explored several methods – including the same glue trick – of how an attacker could forge a user’s fingerprint.
“Our tests showed that we had a success rate of about 80 percent using fake fingerprints, with sensors bypassing at least once,” writes Cisco Talos. Achieving this level of success has been difficult and long lasting. We found many barriers and limitations related to the measurement and physical properties of the material. However, this level of success means that we are very likely to unlock any of the devices tested before being blocked and the need to enter a PIN code.”
Cisco Talos also stated that most people don’t have to worry about someone creating a copy of their fingerprint to gain access to their device, but note that “a person who is likely to be the target of a well-funded, enthusiastic actor should not use fingerprint authentication.”