Biometric security is increasingly common in smartphones, with devices like the iPhone X depending on facial recognition as its primary security authentication method.
A more common variant of biometric authentication is the fingerprint scanner, which has become ubiquitous in mid and high-end smartphones.
The technology has improved greatly since it was introduced, and users can now unlock their smartphones by placing their fingertip on a sensor at the front or back of a device.
Biometric authentication can be tricked, however, with enterprising hackers always finding a way to fool sensors – even using impractical means.
After reading online about various attempts to fool fingerprint sensors, we attempted to replicate these methods and see if we could fool the fingerprint sensor on a Samsung Galaxy S9.
The goal: make prosthetic fingerprints using household materials which would fool the Galaxy S9’s sensor.
The first method we attempted to replicate was making a mould of our fingerprints using epoxy putty, which would then harden and be a cast for a PVA glue pour.
We tried to make an accurate mould in the putty, but it did not retain enough detail when wet and did not receive impressions nearly as well when drying.
This was quickly ruled out as a poor method.
After abandoning the putty, we moved on to a combination of Prestik and wood glue.
The Prestik retained the details of the fingerprint well, but once the wood glue was poured in the mould and dried, it was impossible to separate the two materials without compromising the fingerprint.
The last method we chose described a mould made from candle wax and a silicone adhesive cast.
After carefully placing our fingers in the hot wax, we were left with detailed moulds of the digits.
We then poured silicone into the moulds and left the material to cure for three days.
Separating the two materials was easy, and the results from the silicone cast were impressive.
However, the silicone casts of two MyBroadband employees’ fingerprints failed to unlock their respective Galaxy S9 devices when used in our tests.
The Samsung Galaxy S9’s fingerprint sensor did not recognise the silicone surface as a finger and failed to register any biometric login attempts.
An incorrect fingerprint placed on the sensor usually brings up a “No Match” warning on the display, but the silicone prosthetic did not trigger any reaction from the device.
While the silicone fingerprint prosthetics presented a good recreation of the fingerprints, it was missing a crucial component – the same electrical properties as human skin.
This is important, as modern smartphone fingerprint sensors have moved past optical sensors to capacitive sensors.
A silicone prosthetic would have been more likely to fool an optical fingerprint sensor, as these take an image of the fingerprint to detect its details.
A capacitive sensor works very differently, however, and is a lot harder to crack.
The surface of a capacitive fingerprint sensor comprises thousands of tiny electric sensors which measure electrical conductivity.
Each sensor acts as a capacitor, with their voltage changing depending on the surface they are touching.
When a finger is placed on the surface, a charge is pulsed through the sensor and the voltage of each unit is measured – with certain voltage readings signifying fingerprint ridges and others signifying valleys.
This configuration allows the fingerprint sensor to ignore conductivity readings not consistent with human fingertips.
This is likely why the silicone prosthetics we created were not picked up at all by the sensor.
Bypassing this type of sensor would require the use of a cast material which shared similar electrical properties to human skin, and was able to be cast easily.