Biometric Bypass: Lifting Fingerprints from Glasses to Clone Entry Credentials
At DEF CON 2019, security researchers demonstrated lifting fingerprints from drinking glasses using household materials and 3D printing fake fingerprints capable of fooling fingerprint scanners — including iPhone TouchID.
Background
Biometric access control is increasingly used for both physical access (office doors, safes) and digital access (smartphone unlock, banking apps). The perceived permanence of biometrics — "you can't change your fingerprint" — creates a false sense of security.
The Attack
The demonstrated technique: fingerprints are lifted from smooth surfaces (glass, plastic, polished metal) using graphite powder or tape. The lifted print is photographed and digitally cleaned. A mould is 3D printed from the digital image. Conductive silicone is cast in the mould, creating a fake fingerprint that fools capacitive sensors. The technique successfully bypassed: Samsung Galaxy S10 fingerprint scanner, iPhone (in some conditions), several physical office access control pads. The entire process costs approximately $5-10 in materials.
Response
Apple, Samsung, and other vendors invested in liveness detection improvements for newer biometric sensors. US government NIST published biometric spoofing research. Several access control vendors added anti-spoofing measures. DEF CON researchers made their technique and materials widely available to drive vendor improvement.
Outcome
The demonstration established that fingerprint biometrics can be bypassed with modest effort by a motivated attacker. The permanence of fingerprints — making them unrevocable if compromised — means a successful fingerprint compromise is a permanent vulnerability. The research drove investment in more sophisticated liveness detection.
Key Takeaways
- Biometrics cannot be changed if compromised — treat fingerprint data with higher sensitivity than passwords
- High-security environments should combine biometrics with PIN/token (multi-factor), never biometrics alone
- Capacitive fingerprint sensors can be fooled with fabricated prints — pressure and temperature-based liveness detection is more robust
- Be aware of what surfaces you touch in high-security environments where biometric spoofing is a realistic threat