5 Ways Hackers Bypass Fingerprint Scanners (How to Protect Yourself)
Whatsapp Pinterest
Advertisement

Fingerprint scanners are a good line of defense against hackers, but they’re by no means impenetrable. In response to the rise of devices supporting fingerprint scanners, hackers are improving their techniques to crack them.

Here are some ways that hackers can break into a fingerprint scanner.

1. Using Masterprints

Just as physical locks have master keys that can unlock anything, fingerprint scanners have what are called “masterprints.” These are custom-made fingerprints that contain all the standard features found on everyone’s fingers.

Hackers can use masterprints to get into devices that use sub-par scanning. While proper scanners will block a masterprint, a less-powerful scanner found in a mobile phone may not be as rigorous with its checks. As such, a masterprint is an effective way for a hacker to get into devices that aren’t vigilant with their scans.

How to Avoid This Attack

The best way to avoid this kind of attack is to use a fingerprint scanner that doesn’t skimp on the scan. Masterprints exploit less-accurate scanners that do a “good enough” scan to confirm an identity.

Before you put your trust into a fingerprint scanner, do some research on it. Ideally, you’re looking for a False Acceptance Rate (FAR) statistic. The FAR percentage is the chance of an unapproved fingerprint gaining access to a system. The lower this percentage is, the better chance your scanner will reject a masterprint.

2. Harvesting Unsecured Images

Two hackers extract a fingerprint image from a smartphone
Image Credit: tarik_vision/DepositPhotos

If a hacker gets a hold of your fingerprint image, they hold the key to getting into your scanners. People can change a password, but a fingerprint is the same for life. This permanence makes them a valuable tool for hackers who want to get past a fingerprint scanner.

Unless you’re very famous or influential, it’s unlikely a hacker will dust down everything you touch to get your prints. It’s more likely that a hacker will target your devices or scanners in hopes that it contains your raw fingerprint data.

For a scanner to identify you, it needs a base image of your fingerprint. During setup, you provide a print to the scanner, and it saves a picture of it to its memory. It then recalls this image every time you use the scanner, to ensure the scanned finger is the same one you provided during setup.

Unfortunately, some devices or scanners save this image without encrypting it. If a hacker gains access to the storage, they can grab the picture and harvest your fingerprint details with ease.

How to Avoid This Attack

Avoiding this kind of attack requires considering the security of the device you’re using. A well-made fingerprint scanner should encrypt the image file to prevent prying eyes from getting your biometric details.

Double-check your fingerprint scanner to see if it’s storing your fingerprint images properly. If you find that your device is not opting to save your fingerprint image safely, you should stop using it immediately. You should also look into erasing the image file so that hackers can’t copy it for themselves.

3. Using Forged Fingerprints

If the hacker can’t get a hold of an unsecured image, they can choose to create a fingerprint instead. This trick involves getting a hold of the target’s prints and recreating them to bypass the scanner.

You probably won’t see hackers going after members of the public with this method, but it’s worth keeping in mind if you’re in a managerial or governmental position. A few years ago, The Guardian reported on how a hacker managed to recreate a fingerprint of the German defense minister!

There are a variety of ways a hacker can turn a harvested fingerprint into a physical recreation. They can create a wax or wooden replica of a hand, or they can print it off on special paper and silver conductive ink and use it on the scanner.

How to Avoid This Attack

Unfortunately, this is one attack which you can’t directly avoid. If a hacker intends to breach your fingerprint scanner, and they manage to get a hold of your fingerprint, there’s nothing you can do to prevent them from making a model of it.

The key to defeating this attack is to stop the fingerprint acquisition in the first place. We don’t recommend you start wearing gloves all the time like a criminal, but it’s good to be aware of the possibility of your fingerprint details leaking into the public eye. We’ve seen a lot of sensitive information database leaks 560 Million Old Passwords Have Leaked Online 560 Million Old Passwords Have Leaked Online It's probably time to change your passwords again. Because a huge database of 560 million login credentials has been found online, waiting to be discovered by ne'er-do-wells. Read More recently, so it’s worth considering.

Make sure you only give your fingerprint details to trusted devices and services. If a less-than-stellar service suffers a database breach and they hadn’t encrypted their fingerprint images, this would allow hackers to associate your name with your fingerprint and compromise your scanners.

4. Exploiting Software Vulnerabilities

Some password managers use a fingerprint scan to identify the user. While this is handy to secure your passwords, its effectiveness is dependent on how secure the password manager software is. If the program has inefficient security against attacks, hackers can exploit it to get around the fingerprint scan.

This problem is similar to an airport upgrading its security. They can place metal detectors, guards, and CCTV all over the front of the airport. If there’s a long-forgotten back door where people can sneak in, however, all that additional security would be for nothing!

Recently, Gizmodo reported a flaw in Lenovo devices where a fingerprint-activated password manager had a hard-coded password inside of it. If a hacker wanted to gain access to the password manager, they could skirt past the fingerprint scanner using the hard-coded password, rendering the scanner useless!

How to Avoid This Attack

Typically, the best way to avoid this kind of attack is to purchase well-received and popular products. Despite this, Lenovo is a popular household name, and they suffered an attack as well.

As such, even if you’re only using hardware made by reputable brands, it’s crucial to keep your security software updated to patch out any problems found afterward.

5. Reusing Residual Fingerprints

A residual fingerprint left on a smartphone screen
Image Credit: lucadp/DepositPhotos

Sometimes, a hacker doesn’t need to perform any advanced techniques to get your fingerprints. Sometimes, they use the remnants left over from a previous fingerprint scan to get past the security.

You leave your fingerprints on objects as you use them, and your fingerprint scanner is no exception. Any prints harvested off of a scanner are near-guaranteed to be the same one that unlocks it. It’s sort of like forgetting the key in the lock after you’ve opened a door.

Even then, a hacker may not need to copy the prints from the scanner. Smartphones detect fingerprints by emitting light onto the finger, then recording how the light bounces back into the sensors. Threatpost reported on how hackers can trick this scanning method into accepting a residual fingerprint.

Researcher Yang Yu tricked a smartphone fingerprint scanner into accepting a residue fingerprint scan by placing an opaque reflective surface over the scanner. The reflective surface fooled the scanner into believing the leftover print was an actual finger and gave him access.

How to Avoid This Attack

This one is simple; wipe your fingerprint scanners! A scanner naturally has your fingerprints all over it, so it’s crucial to keep it clean of your prints. Doing so will prevent hackers from using your scanner against you.

Keep Your Credentials Safe

While fingerprint scanners are a useful tool, they’re far from impenetrable! If you use a fingerprint scanner, be sure to perform safe practices with it. Your fingerprint is the key to all the scanners you use, so be very careful with your biometric data.

Do you want to know when someone tries to access your Android phone? Why not try an app that records unlock attempts The 3 Best Apps to Catch the Person Who Tried to Unlock Your Phone The 3 Best Apps to Catch the Person Who Tried to Unlock Your Phone These Android apps take pictures of people who try to unlock your phone and fail. Catch phone snoopers and thieves red-handed! Read More ?

Image Credit: AndreyPopov/Depositphotos

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. ReadandShare
    April 14, 2019 at 12:57 pm

    "The best way to avoid this kind of attack is to use a fingerprint scanner that doesn’t skimp on the scan."

    How to tell? My phone / fingerprint reader is HTC 10.

  2. ReadandShare
    April 14, 2019 at 12:54 pm

    "Double-check your fingerprint scanner to see if it’s storing your fingerprint images properly."

    How? Do tell.

  3. Fik of the borg
    April 9, 2019 at 5:08 pm

    So, if someone gets your fingerprint, you are screwed for life since fingerprints can't be changed like passwords can. They only look cool.

    • catly
      April 28, 2019 at 2:43 pm

      Exactly.