ITL 233: Cyberattacks January 2006 Biometric Devices and Fingerprint Spoofing

During the Washington & Jefferson College January intersession, the students in ITL 233: Cyberattacks performed a variety of lab exercises to explore the properties of a variety of malware and security software. On January 26th, we worked as a group to investigate the numerous reports (1, 2, 3) that biometric fingerprint scanners can easily be spoofed with Play-doh, gummy bears, and other household materials. While we believed that fingerprint spoofing would be possible using plastic molds and latex or gelatin casts, we wanted to confirm that a less sophisticated method would work as well.

We had two personal use fingerprint scanners available to us: the APC Biometric Security device and the Microsoft Fingerprint Reader. We installed both of these devices following the provided instructions without deviating from their default settings to mimic the average user's installation. Two identically-configured Dell Latitude laptops were used. Each student set up an account on each of the machines and scanned in the fingerprint on the finger of their choice. Both devices were shown to reliably identify all scanned fingerprints; no false positives were achieved when scanning fingerprints that had not been registered with the system.

In order to spoof our fingerprints, a variety of materials was purchased from Target and the local grocery store; only commonly available, inexpensive materials were selected. Paraffin wax, specifically Gulf Wax Household Paraffin Wax, was purchased for use in making fingerprint molds. To make casts, we had:

• Play-doh
• Target-brand gummy bears
• Silly Putty
• Elmer's Reusable Adhesive Tac 'N Stik
• RoseArt Modeling Clay
• Crayola Model Magic Soft, Spongy Modeling Material

Altogether, $12.82 including tax was spent to purchase these materials. A kitchen knife, hotpot and mug were scavenged from the instructor's office for use in cutting and heating the wax, as was scotch tape for cleaning the scanners before a spoofing attempt.

We began by simply trying to create fingerprint casts by pressing our fingers into the various casting materials. This simple, one-step method would have the advantage of taking a fingerprint cast directly off the original fingerprint, rather than off a necessarily less-detailed mold of that fingerprint. It was quickly determined that, claims otherwise aside, gummy bears were not a plausible material for spoofing fingerprints. None of us was able to get a gummy bear to hold a fingerprint, either on the flat back surface, or by tearing the gummy bear open and trying to create an impression on the softer interior. It was theorized that perhaps a superior quality of gummy bear, instead of the generic brand purchased, or a gummy candy with a large surface area would work better. But for the remainder of the experiment the gummy bears became simply a form of sustenance.

The other materials were all able to hold a fingerprint well, with the only observations being that the Tac 'N Stik perhaps held a fingerprint too easily, requiring very careful handling. The best method found was to flatten and smooth it between two sheets of paper, lift the top paper and make a fingerprint impression on the top surface, and then use the lower paper to move the Tac 'N Stik and press it into the fingerprint scanner. Without using this or a similar technique, the original fingerprint impression would inevitably be merged with another print created in the manipulation of the cast. Team Bill observed that a pliable material that could hold a mold without picking up every fingerprint would be needed for successful spoofing.

None of the efforts to spoof the scanners using a direct impression of the fingerprint was successful. In many cases the scanner would not even register that a fingerprint was present to scan (the software bundled with each scanner includes a visual cue that it is attempting to read a fingerprint; this cue also visually indicates whether a fingerprint matching one registered with the system has been found). Both devices attempted to read the Play-doh impressions, and some people were able to get them to do so consistently, but the impression was never identified as a registered fingerprint.

The software supporting the APC scanner was particularly useful, as it would display the fingerprint image it was attempting to match on the screen. A visual inspection suggested that these fingerprints were comparable in detail to an actual fingerprint scan. It was concluded that the mirror image obtained from a direct impression of the fingerprint was not going to be sufficient to spoof the scanners, and that an impression would have to be taken from a mold in order to have a comparable fingerprint to present to the scanner.

To make a fingerprint mold using inexpensive, widely available materials, we elected to use wax. A mug was placed inside a hot pot, over an inch or two of boiling water, and small chunks of paraffin wax were placed in the mug, before placing the hot pot lid over the entire contraption. This jury rigged double boiler was quite successful in softening the wax. It was found that unless the wax was well softened, it would crack and not hold a fingerprint impression well.

Initially, the wax-based mold technique appeared to be less successful than the direct impression technique. The wax did not appear to hold a sufficiently detailed impression, and even after a brief rest in the freezer of the departmental fridge, the wax was found to be too malleable to hold up to the pressure necessary to make a good cast, particularly when using the Tac 'N Stik, which was the firmest of the materials used. The Silly Putty was found to be the most sensitive to taking an impression, even under only moderate pressure against the mold. However, Silly Putty was found to cling to the fingerprint scanners, particularly the slightly gummy surface of the Microsoft device, and was quickly dismissed as unsuitable for the task. At this point, only the Play-doh, modeling clay, and modeling material were considered plausible for spoofing fingerprints.

Six teams worked on creating molds and casts, with five teams meeting with no success and concluding eventually that rumors of Play-doh being usable for this task were unfounded. It was conjectured that the casting might have been more successful had the Play-doh been slightly less fresh and thus slightly firmer. As it was, the Play-doh was found to be too soft to hold up to the pressure necessary against the scanners, while the modeling clay and modeling material was too firm to make a good impression against the delicate molds. Team Tuff was able to get the scanners to attempt to identify their spoofed fingerprints using modeling clay but did not get any positive identifications, it seemed due to deformation of the clay when pressed against the scanner; they theorized that putting the actual fingerprint cast in the freezer before using it might have helped. Despite these failures, a sixth team, Team 1337,  employed a more time consuming strategy than the other teams which ended up meeting with success.

Team 1337 created a fingerprint mold by first taking a very soft piece of wax and flattening it against a hard surface until approximately a quarter-inch thick. They then pressed the finger to be molded into the wax firmly for over 5 minutes, making a deep, well-defined impression. The wax was then transferred to the freezer for 10-15 minutes until quite hard and slightly frozen. The team focused on spoofing the Microsoft device, citing the larger flat surface for scanning, as compared to the smaller recessed scanning area of the APC device that required deformation of the cast in the process of scanning. After trying the various materials available, the team concluded that the Crayola modeling material was the most suitable, holding a cast well while being firm enough to hold up to the significant pressure necessary when using the Microsoft device.

By firmly pressing the modeling material into the wax mold, a cast was made that, when pressed against the scanning surface on the Microsoft device, was identified as the fingerprint of the team member upon whom the mold was made. These results were replicated twice using the wax mold, at which point it became clear that even after freezing, repeated casting degraded the detail of the mold such that it was no longer useful. The result was replicated with a second mold, made in the same manner, again using the Crayola modeling material. This second trial is shown in the avi video file here. You can see the modeling material being pressed into the wax mold, and then being pressed against the Microsoft scanner a few times. You can tell that the spoof was successful when the biometric software's "One Touch Menu" pops up in the lower right-hand corner of the screen. A close-up of that menu is show here. Using this technique, they were able to successfully spoof the Microsoft reader approximately a third of the time.

At the same time a third mold, following the approach of the other teams of pressing a finger into a lump of wax, was created. This mold was found to not produce satisfactory casts; it appears that creating a mold in a smooth, flat piece of wax is required.

Following this success, Team 1337 turned their approach against the APC device. Given the recessed scanning surface, the approach used on the Microsoft scanner was not successful. It was noted, though, that the APC scanning surface requires significantly less pressure to register a fingerprint than the Microsoft scanning surface. Given that, the Play-doh was chosen as the casting material, and before a fingerprint impression was made, the Play-doh was first pressed into the APC scanner. When removed, the Play-doh was shaped to the scanner, with a flat surface at the tip corresponding to the scanning surface. This flat tip was pressed into the wax mold, and the Play-doh cast was then pressed back into the APC scanner. It was found that light pressure needed to be employed and that patience was required while the scanning surface took longer than normal to register and register the fingerprint. However, following this technique, multiple successful spoofs were achieved until, again, the mold appeared to soften too much to allow an accurate cast. Video of one of these trials is shown in this avi file. You will see that the laptop has been locked, the cast is held against the scanner, the scanning feedback window shows an image of the fingerprint that has been found which will eventually turn green (as seen to the left), and then the login prompt will clear and the computer will be unlocked.

Based on these two results, we conclude that it is possible to spoof a personal-use fingerprint scanner using inexpensive household materials. However, a few additional observations are worth making:

• When using Crayola Model Magic, one must move quickly, as the material becomes firm and then brittle quite quickly. One could not expect to use it to make a cast significantly ahead of the time at which it was to be used.
• In order for the process to succeed, a very high quality mold is required. Beyond the freezing time, a fingerprint impression in pre-smoothed very soft hot wax using significant pressure is required. As was noted by Team 1337, it is unlikely that such a mold can be acquired casually from an individual for the purposes of stealing their fingerprint. It has been suggested by a colleague, however, that a fingerprint impression made in half-dry fingernail polish and then allowed to harden completely might be a suitable alternative.
• The fingerprint being spoofed was a thumb print, offering a large, and predominantly flat, surface to cast against. It is likely that this aided in the molding and casting process. Future work might test the procedure outlined above when used to spoof thumbprints, index fingerprints and pinky fingerprints.

It should also be noted that, following a standard installation, the biometric devices looked at served a convenience purpose, allowing a fingerprint to stand in for a password, but fingerprint authentication was not required in addition to a password. The increased security would come from the increased likelihood that users would pick sufficiently long and complex passwords and not write those passwords down if they could use a biometric device to store and retrieve those passwords as needed. There is implicit in such a system, though, that the user will come to rely on the device and, in the case of device failure, be unable to remember the passwords normally retrieved by the biometric device.