Biometrics have often been used as a form of access control. While this was initially limited to bank vaults in Hollywood movies, it’s now common to see such features on many laptops and smartphones. Despite the laundry list of reasons why this is a bad idea, the technology continues to grow in popularity. [darkshark] has shown us an easy exploit, using a 3D printer to fool the Galaxy S10’s fingerprint scanner.
The Galaxy S10 is interesting for its use of an ultrasonic fingerprint sensor, which continues to push to hardware development of phones minimal-to-no bezels by placing the sensor below the screen. The sensor is looking for the depth of the ridges of your fingerprint, while the touchscreen verifies the capacitive presence of your meaty digit. This hack satisfies both of those checks.
[darkshark] starts with a photograph of a fingerprint on a wineglass. This is then manipulated in Photoshop, before being used to create geometry in 3DSMAX to replicate the original finger. After making the part on an AnyCubic Photon LCD resin printer, the faux-finger pad is able to successfully unlock the phone by placing the print on the glass and touching your finger on top of it.ster
[darkshark] notes that the fingerprint was harvested at close range, but a camera with the right lenses could capture similar detail at a distance. The other thing to note is that if your phone is stolen, it’s likely covered in greasy fingerprints anyway. As usual, it serves as an excellent reminder that fingerprints are not passwords, and should not be treated as such. If you need to brush up on the fundamentals, we’ve got a great primer on how fingerprint scanners work, and another on why using fingerprints for security is a bad plan.
[via reddit, thanks to TheEngineer for the tip!]
It’s a good thing I have an Apple with FaceID. There is no way that anyone could take several photos of my face in a public place and use the photogrammetry techniques mentioned on Hackaday today to make a facsimile of my physiognomy.
Except that it’s not that easy, as mentioned on Hackaday before. Not impossible, but quite hard indeed.
I think your being sarcastic? If not I don’t think anyone has managed to hack through faceid without significant effort, nothing that could have been done through covert surveillance. It not only looks at the topography but uses NIR to see the veins in your face which are much harder to spoof.
There is also no possibility of near relative happening to look similar enough to trick it.
Not sure how much it has changed over time but when the iPhone 10 came out there were lots of people claiming relatives were unlocking their phone. Heres the first one that came up https://youtu.be/dUMH6DVYskc
The Emperor has no clothes!
In theory it might be possible to make a good 3d model of someone’s face if they can grab enough 2d photos of one of those social media sites.
Or use another 3d camera hidden in a hat or behind a mirror or something to get the information.
I always considered face recognition a dubious security solution since it’s a password everyone can see and to change it would require a plastic surgeon or at at least someone hitting you in the face hard enough with a blunt object
As for seeing veins the NIR camera it doesn’t do that and instead looks for a pattern of dots from the IR projector which it uses to infer the 3d shape of what it’s looking at it’s pretty much a miniature Kinect.
With graphics cards becoming so powerful it might not even need to 3d print a face and just model it real time and just just hook into the camera connector and emulate it with a FPGA and or fast micro controller or maybe spoof what the IR camera sees with a modified DLP projector and some optics.
Biometric is password on a postIT(c) sticked on the keyboard, albeit less secure as you bring it everywhere you go.
I’m not completely convinced. Ultrasonic sensors like this are designed to detect a fingerprint through another surface, in this case the screen. Depending on the strength of the transducer, couldn’t it just be picking up his fingerprint through the resin? I’d like to see this test using something other than a finger to trigger the read. Not saying this type of exploit can’t be done, but one video of it supposedly working isn’t great proof.
We all go to sleep at some point.
https://www.cbsnews.com/news/child-uses-sleeping-moms-fingerprints-to-buy-pokemon-gifts/
I guess in that case it was so easy a child could do it.
touching your finger on top of it.ster
“it.ster” ???