 Welcome back, everyone, to this online Nordsec edition. Again, thanks for being part of this large-scale experiment. I hope you're having as much fun as we do in the background. So let me introduce you to the next speakers. It's a duo from Cisco Talos, Vitor Ventura and Paul Raskanier. Vitor Ventura is a Cisco Talos security researcher. As a researcher, he investigated and published various articles on emerging threats. Most of the days, Vitor is hunting for threats, investigating them, reversing code, but also looking for the geopolitical end or economic context that better suits them. Vitor has been a speaker in conferences like Rickon Brucell, Defconn Crypto Village, and besides Lisbon, among others. Prior to that, he has been the IBM X-Force Iris European Manager, where he was a lead responder on several high-profile organizations affected by the WannaCry and Nuttpedia infections, helping to determine the extent of the damage and to define the recovery path. Before that, he did a penetration testing at IBM X-Force Red, where Vitor led flagship projects like connected car assessments and oil and gas ICS security assessments, custom mobile devices, among other IoT security projects. Vitor holds multiple security-related certifications like GREM, CISM, among others. Paul is a security, well, no, to Paul. Paul is a security researcher within Talos, Cisco's threat intelligence and research organization. As a researcher, he performs investigations to identify new threats and present his finding as publications and at international security conferences throughout the world. He has been involved in security research for seven years, mainly focusing on malware analysis, malware hunting, and more especially on advanced persistent threat campaigns and root kit capabilities. He previously worked for several incident response team within the private and public sector. He is also familiar with the Nordsek organization, multiple time speaker, if I remember correct. So let me introduce them for their talk, high speed figure printing, cloning, myth or reality. Hi, I hope it works for you. Yeah, just waiting for the slide. Yeah, perfect. So yeah, I think this introduction was just perfect and covered more or less everything. And yeah, I'm really happy to be here for the first online edition of Nordsek. So my name is Paul Raskania. I was a speaker for a couple of time at this conference. I'm very happy to be here. And yeah, I'm mainly interested in malware analysis and APT research. So I work on cases such as Olympic destroyer, wanna cry or whatever. And I'm really into 3D printing. You may be so few of migration on my Twitter or whatever. And you will see it's really relevant for this talk where we will speak a lot about 3D printing. Hi, I'm Victor. I like, I like professing engineering. I like malware. I'm located in Portugal. And yeah, let's dive into our talk today. It's my first time on this conference, by the way. So a little bit about what are we going to talk about? So first we will start with the background. We'll talk about the state of the art of fingerprint authentication, then the different sensor types, and then we'll do a deep dive into our research. We'll define the threat models, our process, and we'll end up with the test and the wrap up. So talking a little bit about the state of the art. So fingerprint authentication, it really starts to be massively used when Apple introduced it on Touch ID back in 2013. And on that same year, it was already broken by the CCC conference. Throughout the years, it was adopted more and more in several devices, laptops, mobile devices, every kind of device. And our goal when we decided to do this kind of research was to see if this has evolved. So with the time and with the adoption has security evolved on this kind of devices. So just while we were doing our research, Samsung S10, the fingerprint authentication was defeated by a simple silicon cover. And at the time we thought, oh, maybe our research is completely destroyed. And then there was on another conference, a team from XLAB that also did the same thing on three different devices almost on the fly. But they didn't reveal any of their process. They didn't reveal any of the details. And at that time we thought, okay, then we should really do this research and do as we think like releasing all the details of our process. But at the same time, we wanted to make it as real as possible. That's why we defined the threat models. But we'll go into that further ahead. So just before that, let's talk about the different sensors. There are three major kinds of sensors right now. There's the capacitive ones, which pretty much create a capacitor between our fingers and the sensor through the usage of the electricity in our bodies. So when you have a ridge, that will create the capacitor, which will be detected. And when we have a valley, that won't be detected. So there are a second type of capacitive sensor, which is the active one. In this case, the principle is the same, but instead of using the natural electricity in the bodies, it will send a signal from the sensor through our skin and then back into the sensor. So it's an active one because there's a signal being generated by the sensor itself. Then we have the optical ones. These actually were one of the first kind of sensors to be developed. In this case, as you can imagine, there's a light source that is projected into our finger. And then there's an image sensor that will read the image from our finger. And likewise, the ultrasonic ones, they have the same principle. There's an emission. In this case, it's an ultrasonic pulse, which will then be detected by the sensor. Both of these sensors are actually... The need for these sensors actually was increased when the full screen mobile devices came up because these two kinds of sensors, they can actually be put below the screen, the display. So you can have a borderless phone with it. That does not happen with the capacitive sensors unless you put the sensor on the back of the phone. So this is kind of the main reason why these two kinds of sensors were developed. Well, the ultrasonic one was developed and the optical one was brought back into the market. So now talking a little bit about our process. As I was saying, we wanted to have a real-life model of the research. So for that, we decided to define three different scenarios, thread scenarios. And to those scenarios, we have linked the collection methods. So the first collection method is the direct collection method. In this case, well, the finger is just put on a mold and which is then used. And you can imagine like someone that is unconscious and someone just picks its finger and then put it on a mold. The second thread scenario is the fingerprint sensor where the person just put the fingers on the sensor and the fingerprint is collected. And this you can just relate with all the biometric leaks that has happened in the past with some companies where huge number of fingerprints were leaked and no one really knows where they went. And the third method is a third-party collection method where basically you have an object and you lift the fingerprint from that object. In this case, it would be more like a spy movie thing but it's still a thread scenario. And it is important to have it here in order to establish a relationship between all the different thread scenarios. So our process is not just about the collection. Then we have two additional steps. One is the optimization. So once you collect the fingerprint, you actually need to optimize it and you need to work it so that you can actually then do the creation. And the creation is done through the creation of a mold which is then filled with the materials that will actually create the fingerprint. And for that, I will leave you, I will pass you now to Paul and that will explain all these details. Yeah. So let's speak about the collection and how we get data to work on. So our first case was direct collection. So we get the fingerprint directly from the finger. In this case, we decided to use plasticine which is a fake clay used by a sculptor and that reacts to heat. So basically on the right, you have a heat gun. You put it on the plasticine, it becomes soft and you can take the fingerprint directly on it and create a mold. It was the easiest way, no size issue we directly had from the finger and it was really straightforward and easy to do. The second approach is a connection from a sensor. So you can see here the sensor we use. So it's basically the cheapest sensor you can buy on the internet. It's connected in USB, it uses serial protocol to get data and it's very easy to use. On the right, you have the really bad application provided by the sensor and you can see a fingerprint captured with this sensor. As you can see, the resolution of the picture is really bad, it's really, really bad but I was surprised it was good enough. I had to make some tricks to optimize the picture but finally it was good enough to do our job. The third approach we use to get data is third party connection. So like a movie if you wish. On the left, you have a picture of a fingerprint on the glass and on the right, you have the same one but I put some black powder to increase the contrast. I think on Twitch, maybe the resolution is not good enough but you can see picture on our blog we will give you the URL later. Here it's not my fingerprint. I don't want to leak my fingerprint on the internet so I use the palm of my hand for this specific picture and all the fingerprint you can see and you will see during the presentation are the fingerprint from Al Capone directly from the FBI website and not my or Vito fingerprint because yeah, who knows. So once we have all this data, data from the sensor, data from the camera, we need to optimize the picture. So as I mentioned, the resolution of the sensor is not really good. So I had to take a couple of different images, put them together and create a big one. In fact, the square really where you have the sensor is too small for a big finger like my big fingers. So I need to create a small square and put it together, increase contrast and make some Photoshop to have this kind of image you can see here from Al Capone. Another optimization I had to do, if we, I'm waiting for the next side. Yeah, if we take the third party collection is I need to crop the picture and I need to play a lot with Photoshop to increase contrast and have a clear line and clear black, white and gray picture. So it's simply a question of time and manipulating photo software. Here is an example. So on the left, you have Al Capone fingerprint, black, white and on the right, you have a 3D model of a mold of this fingerprint. So it's a negative cause it's a mold, it's how it works. And in this case, you can see it's pretty similar and how it works. In fact, you have black line and on 3D printing, we can use that as an alpha and the black is push the key, virtual key, digital key and the white doesn't do anything. And after you have the different level of grays that push more or less the fake, the digital clay. So you will see a video about how it works exactly. So creation, yeah, yeah, for the creation, here you can see the size of a mold. So the mold you can see on the bottom is a fake fingerprint of Al Capone and the other one is my fingerprint. So that's why they put in the other direction. And I use a standard 3D printer, something you can buy. Our budget was 2,000 Euro. So not a huge budget. We cannot buy a really crazy expensive printer, but yeah, that was an example of molds and you can see it's pretty small, yeah. So here is a video about how it works. So the software is named ZBrush. It's the standard in the industry and you have the alpha. So the black and white picture, it's on the left. You will see it in a few seconds become bigger, yeah. And I will use this alpha directly on the model and the alpha will push the virtual clay inside and the fingerprint will appear on it. And it's basically how it works. If Twitch resolution is bad, you can check on our blog, you can see it. It's really, really easy. So that's how I create a fingerprint mold. So let's speak about the printer. The printer I use is a 25 microns resolution printer. It's not super expensive. It's less than 2,000 euros. And if you think about dermal fingerprint ridges, it's about 500 microns wide and 20, 50 microns deep. So the resolution of a standard resin printer is pretty good, it's good enough. The other problem is the material use for casting because once you have a mold, it's nice, it's beautiful, but you can do anything with a mold alone. You need to cast something and create the fingerprint. We will see we got a couple of issues with that. And another big constraint is fully printing is not designed for micron. You know, it's designed to create a small object but not like micron object. If we speak about a figurine, it's 10 centimeters, it's not so small. And Zbrush doesn't have a real world size parameters. So you create something, it doesn't really have size, in fact. And in our case, we are speaking about microns. If the mold is few microns too big or too small, it doesn't work. The sensor will not recognize your finger because it's too big or too small. And something we discovered is the resin need to be cured. It's toxic when it got from the printer. It need to be cured in a UV chamber. And we discovered that the UV chamber generate retraction. So not big retraction for a figurine, you don't care. But big enough to create molds too small or too big for our context speaking about fingerprint. So we had to spend a lot of time dealing with this kind of issue because yeah, we had to be really careful about how many second we do curing, we always do the same curing, the same number of mold inside of the chamber, et cetera, et cetera. It was really, really time consuming to be really consistent and have always the same process and the same size, et cetera. Some picture on the left, you have seven molds directly from the printer. It's a small one, as you can see, but I can make seven molds in some time. On the right, it's simply the molds are taken from the bed. And here you can see on the right, you have normally, if it comes, yes, yeah. On the right, you have the UV chamber. So the circle in white turn and you have UV lamp and UV lamp have project on the mirror and it how resin is cured. And on the left, you have all my fail attempt. So all the mold you can see are too big, too small. I make some annotation on it to say, yeah, it's too small or it's too big or I was tired and I didn't do a negative but a positive of my fingerprints, this kind of stuff. So I had to create more than 50 bad molds to have the final one, which is good, perfect size and it works. So it's really time consuming when you know how many hours you need to print something. So, but yeah, when I want something, I spend time on it. So yeah, let's speak about the filling material. So when you have the mold, you need to fill material inside to create the object. Is that how it works? We use silicone, we use glue, et cetera. As Victor mentioned, some sensors are conductive. So you need to have conductive stuff to enable the sensor and start the authentication. Silicone is not conductive. So if you do a fingerprint in silicone, it won't do anything on this kind of device. I, we said, yeah, maybe we can mix silicone with graphite or aluminum, any kind of conductive powder and it will works. So no, it doesn't work. It doesn't work like that. And we had to find a really, really good materials that allow to have the same conductivity than our skin, our body. And finally we find a hack is to use textile glue. So it was pure luck because I found this stuff on my children home and I said, why not? Let's try it, we will see what happened. And if you create a really thin layer of, inside of the mold of fabric glue and it's thin enough to put a real finger behind, you will have the conductivity of your real finger. So it works if it's thin enough and you have a real finger behind. So it cost us a lot of attempt to find it and it was purely by luck, but we can be lucky in life. And yeah, no, let's speak about the tests we did, the device we tested, et cetera. So I let Vito speak about this part of the presentation. Okay, so we wanted to make sure that we would test the different kinds of sensors and the different kinds of devices. And finally, the different kinds of operating systems behind those devices because the way that fingerprint authentication works, it will do the comparison between the fingerprint and the template on different places of the stack. Let's say like that. So let's see a movie about our tests. So as you can see, Paul has a glove on this and it works because in this case we are using the Samsung S10 and the sensor is an ultrasonic sensor. So there's no need for connectivity. On the other devices, it's more, they are using active capacitive sensors. They need this. They actually need the real finger behind the fake fingerprint in order to have the conductivity. Yes. I want you to look at this device, for instance, as the padlock and you should notice that there is a gray ring around it. There was the same thing around the iPhone and this is actually the place where the signal comes into our finger to go back into the sensor. As I mentioned before when I was talking about the sensors. So in the end, our results show that the direct collection method actually has the best results and that really makes sense because we are taking the finger directly into the mold and on one side, the mold is more perfect but also we don't have the problems with the retraction and everything that Paul was talking about because there's no retraction. We have the mold directly to be casted upon. The other thing that you should notice is that pretty much every sensor that was defeated with the direct fingerprint collection was also defeated by the other methods with more or less success rate. If you notice, we were never able to defeat the windows, the laptops based on windows and even on different brands. And we'll have more or less an explanation for that ahead and the same thing happened with both thumb drives. I also want to mention a special case about the Samsung A70 which we never broke but at the same time, it doesn't really work very well when you are using the real finger. So our guess is that, well, it's not something that should be considered as a good example of being good at using the fingerprint because in reality, it doesn't work that well even on normal cases. So, and now the wrap up. So we wanted, when we decided to do this project, we wanted to put some parameters on it so that we were sure that this would lead to something which can be related to real life. We don't want to make something that we are using a huge amount of money and then we can prove that someone can do it but then it doesn't relate to real life, it doesn't relate to the threat profile of each person. So that's why we decided to have, okay, let's have a budget which is under $2,000. Also the limitation for the right collection, we didn't want to have any kind of limitation there because there are different ways to do it and we wanted to have some method which would almost be used like a baseline to all the others. On the limitation side, okay, we know we have talked about it. There's a problem with the scale, with the resolution and we know that there have been some advances on this. Paul will talk about it later when we talk about the future work and of course there's the problem with the resin that can be retracted with the UV while doing the curation process. So now about windows and why did we had more difficulties? Well, in the end, this is a question of having, it's security versus commodity. So we unlock our phones several times a day and if we go and we compare all the points, we'll have more false positives, false negatives, sorry. So we'll have more times where we put our finger and the reading is not correct. At the same time, on the laptop, that doesn't really happen that often. So our guess is that windows is comparing more points of our fingers as with the mobile phones in order to have a better security but at the same time doesn't have such a big impact on usability as if that was happened on the phones. So it's a question of how many points in the simple terms, it's a question of how many points are you comparing on the finger and how much are you concerned about usability and user experience? And for the mitigations, I will pass you to Paul now. Yeah, so let's speak about mitigation. There is a few steps that vendors can do about mitigation. If we look at the number of attempts, if you take Apple devices, you can only test your fingerprint five times. If it's five times, you need to enter the pin, no choice. If you check Samsung devices, for example, it's 50 attempts. So you can try 50 times and it won't ask you to pin until this 50 false attempt. You simply need to wait a few seconds between five attempts, but it's 30 seconds, I think, and you have five attempts, 30 seconds, five attempts. So you can do it, it's okay. And if you take Honor device, I tried more than 70 times and it doesn't ask me for the pin. So it's probably unlimited, or it's 100 or whatever. I didn't spend my day trying to unlock the device. And yeah, that's something that I think could be improved by making less attempts like Apple did, or maybe to put this stuff under the control of the users. Maybe you can decide it on parameters. I want five, 10, or whatever attempts before switching to the pin. It could be an approach. Something else vendor can do is to jump, if we jump on Vito explanation on Windows system, maybe we can propose to the users to configure a number of points to be controlled and say, okay, I want a very strict device. I want to control a lot of points. And if it fail, I accept it, I will enter my pin. And we can have some other users with other profiles that decide, okay, I don't really want to use my pin and I want to be really soft on the number of points I want to unlock my phone. So it can be some mitigation and improvement that could be done by vendor. Yeah, if we look at the conclusion, we think that fingerprint authentication is good enough for the majority of people. It's a question of threat model. If you are really worried and you are someone with, I don't know, a journalist or this kind of sensitive profile, maybe, and if you are afraid about secret agency or government or whatever, maybe it's not good enough. Maybe it's not, maybe they should have the capacity to clone a fingerprint without using a massive budget. If you are worried about someone that steal your phone at the bar, yeah, it's good enough. Don't worry. For one fingerprint, for my finger spending time on it, it cost me most to do that. And yeah, I think you really need to define your threat model and what you want to be protected from. So that's really, really most important part of the conclusion. The process take time. It was really time consuming. It spent me months of research trying to do molds and dealing with size, et cetera, et cetera. So I'm pretty convenient that someone without any experience cannot do it really, really easily. Something that's really interesting for me at least is fingerprint technology has not really involved with time. And something that is really uncommon in our industry is it even roll back. If we take optical sensor, it was the first technology, it changed to a capacitive sensor because you must have a real finger behind, it must be conductive, et cetera. And due to user experience, we roll back and came back to optical sensor because we don't want any frame on the device. We want to have a unique screen and have our fingerprint reader on it. And it generates a rollback to a previous technology because we cannot have capacitive sensor directly included in the screen with our current level of technology. So yeah, just one thing, some people ask us, yeah, but why you didn't create directly the fingerprint with a printer? So it doesn't work, doesn't work like that. It's too small to think, it's not conductive. It will break during the curing process and it's not a good way to do it. We really need to think about doing a mold and cast something to create the fingerprint. We don't have a magic approach. As you saw, it works on a couple of device but we have some device, it doesn't work really well and some other device, it didn't work at all. So it's not an ultimate approach but I think we have pretty interesting results. Yeah, of course from the bad guys point of view, you can make some improvement to our process. Maybe if we have a bigger budget, we can have access to electronic microscopes that support micron. Maybe if we can use a high precision latch there engraver system, we can improve the whole process and engrave directly the fingerprint. Maybe we can have access to medical printer. So you can have a 3D printer dedicated to medical domain that create object in micron. So they can create fake skin. So maybe the fake skin is conductive enough. I don't know, I don't have access to this kind of device but I think it could be improved by doing that. I mentioned some size issue with the mold. Yeah, maybe we can make some scripting to optimize the creation and provide a high resolution image and said it's this size and this size and maybe generate the 3D model automatically and not as I did on the ZBrush. So I think there was a couple of improvement but it will increase a lot the cost of doing fake fingerprint. We think if you have a very motivated team and well funded, they can do it more efficiently than what we did. You can find our world research on our blog post. At this URL, you can ping me on Twitter. You can ping Vito on Twitter. We will be happy to reply to you if you are shy and don't want to ask on the platform. And yeah, have fun and take care of your finger. All right, thanks so much, Paul and Vito. That was really scary. Yeah, it's concerning but it's also very interesting. So we'll give one or two minutes for participants who have questions. So in the meantime, maybe I can point out that we just released 50 tickets for the conference of 2021 as early bird. It's special just for today. Well, it's actually until it's sold out. So the tickets are just for the conference since we are on the conference part, but maybe we don't know there's a CTF coming in the next few days. So stay tuned and register. It's a good way to show us that you appreciate the work we're doing. Okay, I guess we're kind of running out of time for the questions you can still ask or about questions while the presenters are answering. So I'll start with the first question. So some safes claim to have heartbeat detection on the fingers. Did you encounter any? Did your sleeve technique bypass it? Yeah, so we didn't try. So we basically mentioned all the device we tried. So if it's not on the list, we didn't try it. But it's only speculation, but I think if you use the technique of the thin glue layer and with a real finger behind, as it's conductive, I'm pretty sure you have the heartbeat also. So I didn't try, but I won't be surprised if it works on the same way as a conductive. If you have a real finger and it's thin enough, it should work, but we didn't try it. Really interesting, really interesting. And I guess now that we know how these things work, people can try it. Yeah, if they have time, yes. Vita, did you want to add something? No, I was just going to say that none of the devices that we tried said that they did that on the sensors. So even if they do it, it's not documented as a feature. Makes sense. So let's go with the second question. Can this be used in unsighted physical security assessment? So I guess speaking about the speed to which you can implement it. The speed is really long. So if you want to do it with direct collection, so if you take fingerprint of someone directly on Plastiline or whatever, you can do it really quickly. It's in one hour you have a copy. If you want to do it from picture or biometric data like picture from a sensor, it's super long. It costs me more than three months to have a correct mold by using picture. So yeah, it's a question of time and a resource. If you have a lot of time and a lot of resource, why not? If it's something to do quickly in one week, it doesn't work like that. And I guess the tech is just beginning. So maybe in two years. Oh, yeah, maybe definitely you, maybe some people will improve it. And for the printer, the price decrease, the quality increase, and maybe we will be able to have crazy device in two or three years for a few thousand euros. I don't know. Perfect. So next question, did you consider using something like gelatin or connectivity? No, we didn't. But the point is it must be super thin because the gelatin in this case must enter in the line of the mold, the ridge of the fingerprint. And I'm not sure it will work, but we didn't try. Okay. Another open research direction. And the last question for today, can fingerprint data be imported from one sensor vendor to another or is it proprietary? So there is a format defined to transfer fingerprint information, but the point here is not from one vendor to the other because the comparison is usually done on the OS side because they need to store the templates. So, and if they follow that format, then of course they can pass it from one device to the other, but usually the vendors themselves they don't store the information. They actually pass that information to the OS that will do the templates to do the comparison afterwards. All right. Perfect. So another question was added. Did you see the fingerprint cloning displayed in the last season of Mr. Robot? What did you think of it? Yeah. So I can reply to this one because in fact, we started our research before. We made our choice before. So he copied us. Let's be clear. And the way he's doing it on Mr. Robot is not possible technically because they decided to take filament 3D printer because it's more visual for public and they didn't take resin 3D printer. And if you use filament, you cannot have a precision than more than 100 microns which is too fat to be. So yes, it's possible, but not with the printers they decided to took for visual effect and makes stuff cool. All right. Thank you. Maybe it's just out of my curiosity. It's going to be the last question and it's an open-ended question. Considering it's getting easier and easier to copy biometric data and it's not really possible to regenerate your biometric data randomized, what is the solution in the near, like medium to long future using biometric data like that? It's for you, Victor. Oh, thank you very much. You're welcome. Well, in reality, so as we said, there were some deficits we're not able to defeat, right? And that comes back to how you make the comparison. Of course, if you go into the really, really, compare a lot of points, a lot of dots, a lot of direction in the regions, maybe you can improve the security of the fingerprint. But right now, that's not definable by the user. And at the same time, it will create some kind of more false negatives. So I would say that there's a lot of improvements that can be done on fingerprints, iris, face ID, and we will see how that will work out. But all of the technologies can improve on how they make the comparison. Right. All right, thank you. Good answer. So that's all for us for today. Thank you very much, Paul and Victor. And we wish you a great end of day. Yeah, thank you. Stay tuned with us in 10 minutes. We're going to have Itzien Mini talking about defending human rights in the age of targeted attacks. Have a great day.