How Hackers Bypass Fingerprint Scanners

Fingerprint scanners are generally a great line of defense against hackers, but this doesn’t mean that they are impenetrable. And as device fingerprinting for fraud reduction is increasing, hackers are devising new techniques to crack them.

The following are some of the ways in which hackers could break into fingerprint scanners.

Fingerprint Scanner Hacker Guide Header Image


1. Masterprints

Just as master keys could be used to unlock physical locks, fingerprint scanners have something called “masterprints”. These are essentially custom-made fingerprints that usually contain all of the standard features found on human fingers.

Hackers can use masterprints to unlock devices that use sub-par fingerprint scanning technology. While proper scanners usually block masterprints, less powerful scanners on a mobile device might not be as rigorous with it checks as it should. This gives hackers an effective way to get into the device as it’s not rigorous with its scans.

How To Prevent This Hack

The best way to avert an attack here would be to use a powerful fingerprint scanner that doesn’t skimp on its scans. Generally speaking, masterprints usually exploit the less accurate scanners that don’t do scans that are “good enough” to confirm the identity of the user.

So, before trusting the fingerprint scanning feature on your device, it’s wise to research on it. Pay great attention to the False Acceptance Rate (FAR). This is a statistic that gives a percentage of the probability that an unapproved fingerprint could gain access to the device. The lower the FAR figure, the better the chance the scanner will reject a masterprint.

2. Harvesting Unsecured Images

When a hacker gets hold of your fingerprint image, they in effect hold the key to get into your scanners. While you can change a password, your fingerprint will remain the same for life. This permanence essentially makes them valuable for hackers looking to get past a fingerprint scanner.

However, unless you are highly influential or famous, it’s unlikely a hacker will invest their time and resources to get a hold of your prints. It’s more likely that they will target your scanners or devices in the hopes that they contain your raw fingerprint data.

For a scanner to identify the user, it typically requires the base image of your fingerprint. During the setup process, you will provide your print to the scanner, and it will then save its picture to its memory. It will then recall this image each time you use the scanner, and make sure that the finger you scan is the same you provided in the setup process.

Unfortunately, some scanners or devices usually save this image without encrypting it first. In case a hacker gets access to this storage, they can harvest your fingerprint details by grabbing the raw picture of your fingerprint.

How To Prevent This Attack

To avoid this attack, you need to consider the security of the device you’re using. A well-designed fingerprint scanner needs to encrypt the image file to prevent any prying eyes from getting a hold of your biometric details.

Be sure to check whether your fingerprint scanner stores your raw fingerprint images correctly. In case your device doesn’t use the proper methods and technologies to store your fingerprint image securely, stop using it immediately. Consider also erasing the image file to make sure that the hackers won’t be able to copy it for themselves.

3. Forged Fingerprints

In case a hacker is unable to get a hold of your fingerprint image, they could attempt to create a fingerprint instead. This involves trying to find the target prints and then recreating them to bypass the scanner.

This method is generally not used for members of the public, but it’s still worth knowing about it, especially if you’re in a governmental or managerial position. For instance, a few years back, The BBC reported on how a hacker was able to recreate a fingerprint of the German Defense minister.

There are many ways in which a hacker could turn a harvested fingerprint into a physical one. They could either create a wooden or a wax replica of a hand, or they could even print it off on a special piece of paper or a silver conductive ink and use it on the scanner.

How To Avoid This Attack

This is unfortunately one of the attacks that’s difficult to avoid directly. If a hacker is seriously after breaching your fingerprint scanner and they are able to get a hold of your fingerprint, there’s really nothing you could do to prevent them from making a replication or model of it.

To defeat this attack, the key lies in stopping the acquisition of the fingerprint in the first place. It’s not recommended that you start wearing gloves all the time, but it’s certainly important to be aware of the possibility that your fingerprint details could leak to the public eye. In recent years, a lot of databases containing sensitive information have leaked, and it’s worth having this in mind.

It’s also important to change your passwords regularly. A large database with over 560 million users’ login details was recently found online, and it’s just waiting to be discovered by the never-do-wells.

Ensure that you only use your fingerprint details on trusted services and devices. In case a below par service experiences a breach with its database and it’s uncovered that their fingerprint images weren’t encrypted, then this could provide a way for hackers to link your name to your fingerprint image and compromise your scanners.

4. Software Exploit

There are some password managers that use a fingerprint scan to validate the user. Although this comes handy when it comes to securing passwords, its effectiveness usually depends on how secure the software running the password manager is. If it has some inherent security flaws against attacks, hackers could exploit them and get around the fingerprint scan.

This problem is quite similar to an airport upgrading its security system. They could place guards, metal detectors, and even CCTV cameras all around the front of the airport. However, if malicious people discover a backdoor when they could sneak in, all the traditional security would be for nothing.

Gizmodo recently reported about a security defect in a myriad of Lenovo devices where a password manager activated by fingerprint came with a password hard-coded inside. In case a malicious person wanted to access the password manager, all they needed to do was navigate past the scanner through the password hard-coded in the system, which effectively rendered the scanner useless.

How To Prevent This Attack

The best way to avoid this attack is by purchasing the more popular and well-received products. However, you should keep in mind that despite this, Lenovo is quite a popular household brand, and they also suffered an attack.

As such, even if you’re only using products made by reputable manufacturers, it’s vital to keep your security software up to date to patch out any of the problems that may be discovered afterward.

5. Residual Fingerprints

Sometimes, hackers don’t really need to use advanced techniques to get hold of your fingerprints. There are times when all they need is the remnants left over from a previous scan to get past the security.

Everyone leaves their fingerprints on objects as they use them. A fingerprint scanner is not an exception. The prints that can be harvested off a scanner are almost guaranteed to be the one that unlocks it. This is similar to forgetting a key in the lock when you open the door.

The hacker might not even need to copy the prints off of the scanner. The fingerprint scanners used on smartphones usually detect fingerprints by emitting light onto your finger and then record the light back to the sensors. Threatpost has reported how a hacker could trick the scanner into granting access via a residual fingerprint.

A researcher by the name of Yang Yu successfully tricked a smartphone fingerprint scanner into granting access to a residual fingerprint. This was done by putting a reflective, opaque object on top of the scanner. This fooled the scanner into thinking the leftover print was an actual finger and granted him access.

How To Prevent This Attack

This is really simple – wipe down your fingerprint scanners regularly. The scanner will naturally have your fingerprints all over it at any given time. As such it’s crucial to keep it clean of your prints. This will help prevent hackers from using the scanner against you.

If you are interested in even more business-related articles and information from us here at Bit Rebels, then we have a lot to choose from.

Fingerprint Scanner Hacker Guide Article Image