A database containing the fingerprints of 1 million people, along with facial recognition and login data, was publicly available, researchers from the Israeli cybersecurity firm vpnmentor discovered last week. According to vpnmentor’s report released Wednesday, the South Korean security firm Suprema exposed biometrics data that the U.K. Metropolitan police, banks, defense contractors, gyms, and medical supply stores use to allow employees and customers to access buildings. It’s unclear how long this data was exposed, but Suprema’s security system began integrating much of the data in July.
There is no indication yet that an unauthorized third party actually stole any of the data. It’s still worrisome, however. “Facial recognition and fingerprint information cannot be changed,” the report reads. “Once they are stolen, it can’t be undone.”
But there’s a difference between your facial recognition information and your fingerprint information being out in the world, waiting for a nefarious actor to put them to good use. In her piece on a biometrics hack at U.S. Customs and Border Protection in June, Slate’s Jane C. Hu wrote that there’s not much that a nefarious actor can do right now with stolen facial recognition data. Researchers have previously used biometrics data to make 3D masks and looped videos, which can fool facial recognition systems. It’s unlikely, though, that your average hacker is going to spend the money and time required to pull off such an elaborate ruse.
But the fingerprint data in the Suprema database is slightly different. Hackers could use a stolen fingerprint to break into a fairly rudimentary security system. A more advanced system might be possible, too, if they have lots of time and money at their disposal.
There are multiple ways to fool fingerprint readers, according to Anil Jain, who heads the Biometrics Research Group at Michigan State University. “This particular data breach is serious, because not only were the fingerprints of the individuals exposed, but also the metadata”—that is, the associated identities and login information. Stolen fingerprints are more helpful to hackers if they also have that info, since two-factor security systems often require both conventional passwords and fingerprint scans. The vpnmentor researchers further noted that if Suprema had “hashed,” or encrypted, the fingerprint images, then the data would have been less useful to criminals. Jain says that Suprema may have decided not to hash the fingerprints because the quality of the images can degrade through the encryption process.
The amount of effort that a hacker would need to actually break into a building or account using a stolen fingerprint depends on the sophistication of the security system. Some of the less advanced scanners will actually accept a picture of a fingerprint that’s been printed out. In 2016, Jain helped investigators in Lansing, Michigan, break into a criminal’s Samsung Galaxy S6 phone by printing the fingerprint onto a piece of photographic paper, which is made of light-sensitive material. Photographic paper is better at rendering the height of ridges and valleys in a fingerprint, which is what the scanners generally rely on to identify a person. This method also worked on the Huawei Honor 7, but Jain wasn’t able to get consistent results for the iPhone 5S. (A hacker collective in Germany claims to have been able to break into an iPhone 5S by lifting a fingerprint off a glass surface.)
You’d have to buy a 3D printer to fool a more sophisticated fingerprint reader. In 2017, Jain used a printer to create a 3D mold based on a fingerprint image. His team then grafted the fingerprint onto a fake finger made of silicone, which was designed to fool multiple types of scanners. Capacitive scanners, for instance, use electrical currents and the skin’s conductivity to create a fingerprint image, while ultrasound scanners press an ultrasonic pulse against the finger. Optical scanners essentially just take a picture of a fingerprint and try to match it to the one on file. Jain’s fake finger had the properties necessary to fool these various types of authentication methods. Yet it costed hundreds of thousands of dollars to develop, so there probably aren’t a lot of hackers out there making viable fake fingers.
The vpnmentor researchers note in their report that there’s an easier and less expensive way to manipulate a fingerprint database for criminal ends. Hackers could just create new user accounts in the database and enter their own fingerprints, which would allow them to access buildings without having to go through the trouble of copying the biometric data.
“It’s a cat-and-mouse game,” says Jain. “The vendors are trying to make their fingerprint readers more resistant to different types of spoofs. At the same time, the hackers are also getting smarter and trying to think of new ways to hack a fingerprint reader. You can never make any security mechanism foolproof.”