Researchers Find Apple's MacBook Pro Is More Susceptible To Fingerprint Spoofing Than Windows Laptops
Technology companies sometimes talk about wanting to move on from passwords
in favor of other authentication methods, with biometric security
leading the way. But are biometric methods really secure? Researchers from Cisco's Talos division put fingerprint scanning under the microscope, and found some interesting shortcomings.
Fingerprint scanners are in lots of places these days. Your smartphone probably has one, assuming it is relatively modern. So do encrypted USB devices, padlocks, and laptops, including Apple's MacBook Pro
and a bunch of Windows system equipped with support for Windows Hello
(which can include other security methods as well).
Now here is what's frightening—in its testing, Talos researchers were able to thwart fingerprint security methods 80 percent of the time using fake fingerprints. There is a silver lining, though. It was not always easy to pull this off.
"Reaching this success rate was difficult and tedious work. We found several obstacles and limitations related to scaling and material physical properties. Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the pin unlocking," the researchers stated in a blog post.
"The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication," the researchers added.
For this research, they took images of a fingerprint to create a 3D printed mold, then a cast. For the latter party, they tried different materials and found that the combination of silicon and fabric glue worked best.
The method worked on a bunch of devices. What's also interesting is that the results suggest mobile phone fingerprint authentication is weaker now than it was when it was first broken in 2013.
Another interesting note is the divide in laptops. The researchers had no success fooling the fingerprint scanner on Windows laptops that support Windows Hello, but using the exact same clone, saw a 95 percent success rate on MacBook Pro models.
"The reason for the better and recurrent results from the Windows platforms is the fact that on all platforms the comparison algorithm resides on the OS, thus is shared among all platforms," the researchers explain.
Click to Enlarge (Source: Cisco/Talos)
The researches saw varying degrees of success on devices where this worked. In many cases, the success rate was very high, as with the MacBook Pro, Honor 7X, and a few other devices.
While it was not easy, the bottom line here is that companies should be putting more effort into making fingerprint scanning more secure. At the same time, we don't want to overstate the vulnerability—the researchers readily admit that the creation process for making molds is "time consuming and complex."