Yes, 3D printed fingerprints can fool smartphone scanners. No, that shouldn’t keep you up at night.
Hackers love a good hack, and often that falls into “because I could” territory. So it was for Imgur user “darkshark” whose latest attempt has been making the rounds of internet tech news this week. Darkshark poses a simple claim:
“I attempted to fool the new Samsung Galaxy S10’s ultrasonic fingerprint scanner by using 3d printing. I succeeded.”
The Galaxy S10 is the latest smartphone from Samsung, equipped with a high-tech ultrasonic fingerprint scanner — said to be much more secure than typical optical scanners. With this newfangled scanner, fingerprints are examined in 3D as the phone looks into not just patterns but ridges to ensure that the right finger is trying to access the phone.
But is it infallible? Does it have to be the right finger? Such questions keep the curious up at night, and no one can say darkshark isn’t the curious sort.
So off went a bit of work with a wine glass, smartphone camera, software manipulation and modeling, and a 3D printer.
Darkshark captured a photo of their fingerprint on a wine glass, then increased the contrast in Photoshop to create an alpha mask. That in turn went into 3ds Max to create a full 3D model “of every last detail of the fingerprint.”
“I popped that model into the 3D printing software and began to print it. This was printed using an AnyCubic Photon LCD resin printer, which is accurate down to about 10 microns (in Z height, 45 microns in x/y), which is more than enough detail to capture all of the ridges in a fingerprint,” darkshark reports. “Printed perfectly. Print time was only around 13 minutes.”
[“I distorted my fingerprints in photoshop before posting this, so that you guys can’t steal it lol. I don’t trust any of you.” / Images via Imgur]
It took a bit of tweaking to get it right, but not much. Three reprints, including mirroring the fingerprint, ensured the ridge height hit right, and the resin print was usable as seen in the full Imgur post.
There have been fears for years about 3D printed hand replicas being used in identity theft, and new smartphone releases with the most advanced facial/fingerprint scanners continue to be targets for new attempts. Many of those attempts succeed, with 3D printed fingerprints and 3D printed masks unlocking phones. More of the attempts fail, of course; we don’t hear about those so much. There’s not much Imgur street cred for “I attempted to do this hack-y thing and failed and gave up.”
Still, that some of them succeed and are highly publicized lends credibility to fears about just how secure our phones are. Phones are our portal to everything these days: bank accounts, mortgages, contact lists, calendars, perhaps sensitive photos or documents.
Those who are proving the vulnerabilities are not unaware of the issues they raise; darkshark notes:
“This brings up a lot of ethics questions and concerns. There’s nothing stopping me from stealing your fingerprints without you ever knowing, then printing gloves with your fingerprints built into them and going and committing a crime.
If I steal someone’s phone, their fingerprints are already on it. I can do this entire process in less than 3 minutes and remotely start the 3d print so that it’s done by the time I get to it. Most banking apps only require fingerprint authentication so I could have all of your info and spend your money in less than 15 minutes if your phone is secured by fingerprint alone.”
So, yes, it can be done… but, really, will it?
Phones, especially expensive new models, are certainly targets for thieves. But how many pickpockets are going to actually first swoop in for a high-res snapshot of your fingerprints at the bar where they lift your phone and be ready with software, hardware, and the patience to try and retry the design to delete the calendar reminder for Billy’s piano recital before deleting all your information and turning the phone into profit?
A lot of things are technically possible, but that doesn’t mean they’re going to be regular occurrences. For most people, common sense is a good enough protective measure.