Few months ago I was testing some TCP & Wiegand based Access Control Systems that also had RFID reading capability and a lovely Fingerprint reader embedded.
Most of my time was spent on hardware security related tasks. However, since I love to mess-up with chemical compounds… I decided to test those Fingerprint Sensors and see which one can be tricked by a cloned version of my finger.
First, let’s have a quick overview of how most of the fingerprint sensors on the market work. (To do that I am using a photo taken from one of the very first academic researches related to fingerprint cloning. The famous paper about Gummy Bear Attack) [1]
Since I have no time nor the wish to give you a Lectio-Magistralis in bio-metrics (despite my 30 cum-laude in that course at University :P ), I will leave at the end of the article couple of resources [2][3].
To clone fingerprints exist multiple methods:
Gummy Bear Attack
Wood Glue + Graphite + PCB Etching
Fuming Chamber + Dental Silicon
etc.
In our case, I opted for the Portable Fuming Chamber + Dental Silicon. Is the easiest to bring with you around (i.e. Red Team engagement) and doesn’t require long time for the glue to dry nor particular skills (e.g. like etching a PCB).
Materials Needed:
Item with the target’s fingerprints: In my case (since it was a PoC) I used a microscope slide.
In a real case scenario I would have taken something with a flat surface with the target’s fingerprints on it. (e.g. a Zippo, glass, mug, etc.)
Ciano-acrylic Glue
Paper Box
USB Cup heater
One small metal box
Cup of water (optional)
Dental Silicon + Activator
Once the target is acquired (i.e. microscope slide or zippo) you have to create a ghetto-style Fuming chamber (like the one used in C.S.I. or any other Forensics Team within LEAs).
To do so, grab a paper box, place inside an USB cup heater (attached to a 2A 10.000mAh battery-pack should work) and place on the top of it the small metal box.
Then place the target with the fingerprints in the box. Pour a generous amount of glue inside the metal. Turn on the cup heater, close the box and wait 15 minutes.
Note, in case you suspect that the fingerprints are older than 24h, it may be useful adding in the fuming chamber a glass of water which should raise the humidity in the box during the fuming process and thus speed it up.
Once done you will end up with something like this:
The fumes of glue got stuck on the flat surface of the slide, creating a negative version of the target’s fingerprint. Now we just need a compound malleable enough to fill those crests and re-recreate (once solidified) the exact copy of the original fingerprint.
I tried with the wood glue and graphite spray… but didn’t work for two reasons. It takes longer to dry than the dental silicon and it works better with the PCB etching technique.
Subsequently, I decided to use the Dental Silicon + Activator (in my case Bonasil-Light and its Activator Paste).
After following the rigid indications about quantity and seconds of mixing the two components… I have spread it on the target uniformly:
After waiting something like 15 minutes (i.e. way less than the wood glue + graphite spray) I slowly lifted the dental silicon from the slide and Voilà! Fingerprint cloned!
And this is the result:
Middle finger (not authorized) with the cloned fingerprint of the Index (authorized) manages to fool the reader!
As counter-proof, the Index gets in.
As counter-proof that the Middle is not authorized, I try it without the cloned silicon layer.
For now, that’s it. Easy Peasy, isn’t it?
If you have questions, you can reach me at @LucaBongiorni
[1] “Impact of Artificial “Gummy”Fingers on Fingerprint Systems”, http://web.mit.edu/6.857/OldStuff/Fall03/ref/gummy-slides.pdf