Blog:

iPhone fingerprint bypass

Tom Roberts 05 Feb 2017

BANNER IMAGE HERE

TL;DR

For years it has been fairly commonly known that commercial grade biometrics have an error rate that means they are secure to a point, but they are not fool proof. I show how it is possible to overcome a fully patched and MDM applied iPhone 7 fingerprint recognition to open the phone.  The entire exercise cost less than £10 to do.

The short video showing this being done is here:

The full story

This is not a new thing, Mikko Kiviharju demonstrated this at black hat in 2006 and as long ago as 2000 researchers have been saying these systems are not good enough and being fair if you go back to Ton and Jeroen’s 2000 white paper they detail all you need to know to replicate this attack yourself. And this specific technique has been shown before for other models of phone and using alternative mould materials, these are just a couple:

This method uses what appears to be a flexible latex type mould made from a fingerprint taken from fast drying epoxy.

This other method shows the bypass of the iPhone 6 using children’s modelling clay from a mould using epoxy designed for making dental impressions.

So I’m not showing anything new here and this has been known about for a VERY long while but it still surprises me that people still believe “it can’t be done”. When I hear this, it reminds me of an “unhackable” claim and just had to do a quick proof.

Some basics of biometrics

First we must discuss that things that a biometric fingerprint reader has to try and do. It’s is basically matching the pattern on your finger to a stored pattern it has and making a decision on if it’s valid or not based on some key criteria. There is always a threshold for error here. Your finger could be dirty, or scuffed, but the pattern must match within a tolerance. But just having the pattern isn’t enough anymore. In the early days of commercial biometrics you could literally bypass the fingerprint recognition with a decent scan and laser printer. So more criteria were added.

  • Pattern – Must match within a given tolerance and must be of a sufficient sample size to trigger “ok”.
  • Warmth – human skin has a body temperature and this must be within a “normal” range.
  • Colour – Some biometrics look for a skin tone or a luminescence value.
  • Conductivity – Skin has a tolerance that falls within a boundary.

Things like paper printouts, latex moulds and other fancy materials can fail for not meeting one or more of these criteria.

How was it done?

Well I’m an avid fan of cheap and cheerful hacks. I tried to keep this under the £20 mark and create multiple forms of mould. Some of the materials used I had in my home for modelling and DIY. I created three moulds of my thumb:

  1. Alginate (right) – I used standard as it’s much lower cost than the often used dental alginate. However this was a mistake as the “theatrical” alginate dries to a powder finish that seems to lose the fine grains of the fingerprint. If I did this again I would use dental alginate as it would appear to dry to a firmer texture and has less retraction and deformation.
    1. Pros – Easy to use dries in 3 minutes
    2. Cons – powder finish and lower than expected fine detail.
  2. Sugru (left)– This is a mouldable glue bought at any hobby store. It’s about £2 a pack but you get just enough in one sachet.
    1. Pros – good results and high definition.
    2. Cons – long drying time.
  3. Milliput (centre) – an epoxy clay used in modelling. Two parts in equal measure mixed and formed into a ball.
    1. Pros – Once set it’s is akin to a metal mould. The impression takes under 3 seconds.
    2. Cons – you may need to apply a slipping agent to the victims finger to allow for a clean imprint.

So now I have three potential moulds to take a fingerprint from. The most “utilitarian” one is the milliput as the imprint time is mere seconds and the material is hearty enough withstand deformation and once dried, it is fairly sturdy stuff.

So now we have moulds in a variety of easily obtainable materials. What can we do with them?

Making an impression

Given the criteria you have to meet in faking human skin you should look for “organic” as it’s going to the place where it’s easiest to come by materials that will have human like properties.

The easiest of which is this childhood favourite:

Play Doh couldn’t hurt anyone could it? Kids eat it and if you are really minded to do so you can make your own on the stovetop with household ingredients (Combine water, oil, salt, cream of tartar, and food colouring in a saucepan and heat until warm. Remove from heat and add plain flour. Knead until smooth).

So, making up a small lump of flesh tone was the next step. Personally I think it’s more of a Simpson’s skin tone but it works nonetheless.

And then, in case you missed it. Putting this all together you get what was shown in the video.

So what does this give an attacker?

Some of you will be saying “so what?” it’s an attack where you have to get close enough to someone to take an imprint of their thumb then you have greater access to their actual thumb. And you would be right. However that is only half the story. While I would contest the mulliput solution would be plausible to carry out on a sleeping victim (low impression times needed) by someone close to the victim, that’s not really the main issue.

The main issue is not to rely on biometrics as the be-all and end-all of security. It has a purpose and that is partially security and partially ease of use. Always make sure you have a backup method of entry (like a long PIN) to enable you to gain access. Losing the only password or key to a secure storage can sometimes cost millions.

What to do?

Commercial level biometrics always have to make a trade off between functionality and cost. To keep costs low, the error or threshold rates in phones and other devices will always be lower than say a £1k door entry system or the systems in use at say the post office that do entire handprints.

For corporates – For mobile devices, do not think of consumer grade biometrics as the highest grade solution or “unhackable”. It is merely a layer applied to facilitate ease of access for users. If the contents of the device warrant stronger methods of security, then take note and ensure secondary defences on applications once the phone is opened.

I have noticed that some apps now use the biometrics purely as an unlock mechanism. Mimecast is one such app. If the phone can be opned with a fake thumb, and so can the email controller preventing malware entering your network, then you have a single point of failure. Enabling the PIN function on this app makes this less of an issue.

For consumers – This is a lifestyle choice. If you prefer the freedom of fingerprints, then by all means use the technology, but accept that in the unlikely event your fingerprint is stolen as shown in this video, know that you cannot change it or reset it. And take heed that if such an event ever did occur that it might even prevent you from using the technology ever again or at least not that particular finger.

The cost of using high end biometrics is still not cost effective for everyday consumer products, and they still have a very low thresholding value of acceptance. As a normal consumer you are buying the “economy brand” of biometrics, even if it appears to be the most modern gadget you own.

The primary reason most people use fingerprint recognition in the public technology space is NOT security, it’s ease of use. That trade off is the risk you must accept or accept a change in your behaviour and keep the ability to change your access controls via PIN or passphrase.