We Fooled an iPhone Using School Supplies. Here’s How We Did It.
Biometrics – the epitome of “high security” in today’s movies and TV shows. Whether it is protecting a vault containing millions in diamonds or safeguarding top-secret CIA documents, biometrics are tasked by Hollywood to protect the most sensitive of assets. However, biometrics is no longer relegated to futuristic movie plot lines. Biometric access control systems have become widely adopted and inexpensive to implement in the real world.
Everyone with a modern cellphone has had at least some personal interaction with biometrics. Fingerprint sensors first came to cell phones in 2011. Since then, almost everyone has begun using biometrics to protect private messages, photos, and data.
Despite how pervasive biometrics have become, are they really as secure as we think they are? We set out to perform a quick research project with the objective of exploring the security of biometrics!
Our objective for this project had two distinct parts. First, we wanted to explore the feasibility of being able to lift a fingerprint from someone’s desk space. Secondly, we wanted to be able to develop a reproduction of that fingerprint and successfully carry out a “replay” attack against a biometric control system.
Testing Part 1 – Lifting Fingerprints:
Our first objective and the challenge was to lift a fingerprint from somewhere on an individual’s workspace. We selected the workspace considering that we all spend at least eight hours a day sitting at our desks. It seemed likely that an individual’s fingerprints would be all over their workspace. Further, an internal attacker would likely have unimpeded access to a coworker’s desk space without drawing too much attention.
Using official volcanic fingerprinting dust and fiberglass fingerprinting brushes, we began attempting to lift fingerprints from my desk area. Going into this testing, we assumed that this part would be fairly easy. Crime shows on TV always make lifting fingerprints look like a straightforward process and it only involves some dust and a brush, right? Turns out, we were very wrong.
While the actual act of dusting for fingerprints is conceptually straightforward, performing it successfully on a non-prepared surface is an art form. We had a significant challenge trying to lift prints from the workspace environment. One item that we zeroed in on early was the mouse. A user’s pointer finger is usually resting on the left mouse button all day. We figured that this would be the clearest location to lift an individual’s fingerprint from. However, in our testing, we were unable to get a fingerprint clean enough to be usable. See below for some examples.
In doing some further research, it appears that while we were unable to properly lift a fingerprint, a professional or someone reasonably motivated could lift a clean, usable fingerprint from a desk space. As we are not trained criminal forensic investigators or experienced criminals, we decided to continue on with the project with a new assumption. Moving forward in the project, we will assume that a reasonable motivated individual is an attacker carrying out this attack and they have obtained a clean lifted fingerprint.
Testing Part 2 – Casting our Fingerprints:
The next part of the testing is the first step towards fooling the biometric devices. We need to make a replica fingerprint of our intended target. This is known as a “replay attack.”A replay attack in biometrics is when an attacker uses a picture or representation of a user’s biometric identity in order to fool an authentication mechanism. We set out to try to fool both an FBI certified biometric scanner and an iPhone 8.
The first hurdle was figuring out both a casting medium and imprint medium. When you stick your finger into, let’s say, playdough, the “fingerprint” left behind is actually a mirror image of your actual fingerprint. Ridges are troughs and troughs are ridges. This will not fool modern biometric devices. So, we need a way to imprint our fingerprint and then cast them in order to reproduce a 1:1 fingerprint. We attempted a number of different combinations which are listed below:
- Modeling clay and wood glue
- Modeling clay and super glue – Successfully retrieved casting.
- Modeling clay and Elmer’s school glue
- Modeling clay and playdough – Successfully retrieved casting.
- Playdough and wood glue
- Playdough and super glue – successfully retrieved casting.
- Playdough and super glue + wood glue
- Playdough and Modeling clay
After letting the molds dry, we attempted to remove the castings from each of the variations. We were only able to retrieve three castings which are noted above. We found that there was a delicate balance between the molding material and the casting material. Too brittle of a molding material and the casting lacked the definition necessary. Too strong of a bond between the two materials meant that we couldn’t ever separate them once dried.
Testing Part 3 – Guardian Fingerprint Scanner Replay Attack
For our testing we acquired two unique fingerprint scanning devices:
- Crossmatch L-scan Guardian 2 fingerprint scanner
- iPhone 8
The Crossmatch L-scan Guardian 2 (henceforth referenced as the “Guardian”), is an FBI Integrated Automated Fingerprint Information System (IAFIS) certified fingerprint scanner. It is compliant with Appendix F biometric image standards which means that it meets a stringent standard of image quality for biometric devices. This type of scanner is very common in airports, at international borders and other sensitive locations. This Guardian device is certified to the same level as most commercial biometric access control scanners on the market. If we can fool this device, we can reasonably fool most commercial biometric devices.
The iPhone 8 has a fairly advanced fingerprint sensor built into the home button at the bottom of the phone. This round sensor takes a high-resolution image of your fingerprint minutiae (i.e., major features of your fingerprints including ridges, whorl, deltas, islands, and bridges). It then makes a mathematical representation of these features and stores it within a “secure enclave” within the device. The iPhone then compares the mathematical result of each fingerprint presented to it and compares it with the stored, “registered” fingerprint. If it matches, the iPhone unlocks!
After retrieving the castings, we cleaned them up and then began attempting to use them to perform a replay attack on the devices. The first device we tested against was the Guardian. We immediately noticed a flaw in the glue-based castings; they were too rigid. Because of this, they were not able to “compress” down when placed against the scanner as a normal finger would. This resulted in only a tiny portion of the casting registering on the scanner. The resulting image was not wide enough to get a positive match from the Guardian.
With the glue-based solutions eliminated, we then tried the playdough castings (Modeling clay as the mold with Playdough as the casting material). When presented to the scanner, the Playdough’s soft nature allowed the entire fingerprint to press down onto the Guardian scanner. Because of the compressibility, unlike the glue-based methods, we were successful in getting a positive match on the Guardian! We reproduced these results a dozen times with a failure rate of roughly 40%.
See below for two examples (image is from the Playdough casting):
With similar results to the Guardian replay attempts noted above, the glue-based castings proved to be too rigid in order to fool the iPhone’s fingerprint scanner. Additionally, we noted it was a challenge to get the fingerprint scanner to read the glue-based casting at all. Despite attempting to rotate the castings, wet the sensor, heat up the castings, we could not successfully fool the iPhone scanner with the glue-based castings.
Next up was the Playdough based casting which was previously successful in the Guardian replay attack above. While we were able to get more consistent reads against the iPhone using the Playdough castings versus the glue-based castings, we were not successful in unlocking the phone. We concluded that the flexible nature of the Playdough was an enhancement over the rigid glue-based castings; however, there was something else that the iPhone was “looking” for that the Playdough was not satisfying.
Part 4 – A new method
We were not satisfied that our playdough method only worked on the Guardian. We wanted to develop a method that would be both successful on the Guardian and the iPhone. We began doing some more research on the molding and casting materials that might work. Knowing that the flexible nature of Playdough was definitely an enhancement, but the durability and thinness of glue-based methods were desirable, we searched for new materials that would satisfy these criteria. We landed on hot glue as the molding material and Elmer’s white school glue as the casting material. We hypothesized that the hot glue would be both flexible, durable and viscous to retain a detailed fingerprint and the Elmer’s School Glue would dry slightly flexible, thin and durable while not adhering to the hot glue permanently.
It took a few dozen attempts, but we perfected our method for making a clean imprint into the hot glue (without burning our fingers). The key was giving the hot glue a “cooling off” period of about 1 minute, 45 seconds before placing our fingers into it. We then filled the molds with Elmer’s glue and let them dry overnight.
The following morning, we carefully extracted Elmer’s glue from the molds. As expected, the two types of glue did not adhere to each other permanently and we were able to easily separate them. Upon trying the first casting we made, we knew we had a winning formula. The fingerprint image that was showing up on the Guardian’s software looked almost indistinguishable from a finger! See below for an example image from the Guardian software with Elmer’s glue on the scanner:
Successful and hopeful, we turned to the iPhone next. None of our prior methods had been successful at fooling the iPhone’s sensitive scanner. However, judging by the image from the Guardian software and the ease of which it performed a match, we were confident that Elmer’s glue method was superior to the prior methods. We took Elmer’s glue fingerprint, placed it on our unregistered middle finger and pressed against the home button of the iPhone. The iPhone unlocked! We repeated this a dozen more times and found it extremely effective.
The Elmer’s glue fingerprint made from a mold of hot glue was 100% successful at fooling the Guardian fingerprint scanner and the iPhone 8. Interestingly, we noted that the success rate was 100% for the first day but, after a few days of the castings sitting on the desk, the success rate dropped to around 40-50%. We assume that this is due to the glue fully drying once separated from the mold.
Part 5 – Summary
As illustrated within this short project, it is reasonable to conclude that a motivated attacker could both lift a target’s fingerprints and create an inexpensive replica which can fool both Apple iPhones and almost all biometric access control systems. What implications does this have within businesses and the real world?
There are a number of scenarios which should be evaluated within your organization. Probably the most widespread use of biometrics in the workplace today is access control. Many sensitive locations will employ biometric access control systems in order to control and track access to specific areas. As our testing has shown, biometric access systems relying on fingerprints can be easily circumvented. If a location is highly sensitive to your organization, consider implementing multifactor authentication (such as an RFID badge in addition to biometrics) and/or dual control. Further, biometric systems relying on palm vein patterns, hand geometry and iris scanning provide enhanced protection against biometric attacks.
Does your organization allow sensitive business information on employee work phones? Even if sensitive data isn’t directly stored on employee’s phones, do you allow the Outlook App or other email clients? If so, an attacker could presumably access a phone using a biometric replay attack which would result in the access of sensitive business data. Consider enforcing a numerical password with four or more digits on employee phones. A four-digit passcode results in 10,000 possible combinations. Increasing the required length to just five digits results in 100,000 possible combinations, a 10x increase. Increasing the minimum length of passcodes results in passcodes which are increasingly more challenging to brute force.
Many organizations use biometrics for timecard management. These systems use an employee’s biometric identity (e.g., their fingerprint) to trigger a “clock in” or “clock out” event. This ultimately results in wages for employees and expenses for the employer. Per our findings, it would be rather trivial for a motivated employee to clock in or out for another employee with little more than a sliver of Elmer’s glue. If your organization utilizes biometric timecard systems, consider putting the area under video surveillance as a detective control. An additional measure that you can take is to implement some type of multi-factor authentication such as a biometric scan and a PIN code. Ultimately, collusion between employees cannot be prevented. However, it can be deterred and detected through a variety of controls. Consider how your organization can best deter and detect potential biometric replay attacks on the timecard system.
We recognize that reading through this project can leave one to question why we would ever use biometrics! It is worth noting the benefits that biometrics provide. Notably, they are incredibly convenient. Unlike a password, you can’t ever “forget” your fingerprint. Barring an unfortunate accident, wherever you are, so are your fingerprints. This allows enforcing some degree of access control on devices or environments in which other methods of control such as keys or combinations would be too cumbersome. In that case, biometrics do provide an encased level of control.
We hope that you take away from this project is not that you should abandon all biometrics in your organization. But rather, understand that while convenient, biometrics do have weaknesses which should be addressed. Biometric systems should not be blindly trusted due to their often-futuristic feel. Ensure that the organizational risk of the areas and devices in which you utilize biometrics to secure match the risk of using biometrics to secure them.