Biometric security has progressively become a standard feature in flagship smartphones. Apple has offered Touch ID since the introduction of the iPhone 5S while Samsung, a leader in the Android space, introduced fingerprint security starting with its Galaxy S5. On Windows 10 Mobile, Microsoft opted for iris recognition for its recent Lumia 950 and 950 XL smartphones while HP included both iris and fingerprint recognition in its Elite X3 handset.
However, smartphone manufacturers have had to learn some tough lessons along the way with regard to how to best implement biometric security into their devices.
Back in 2011, Android developer Tim Bray refuted initial claims that the Face Unlock feature on the Galaxy Nexus smartphone running Android 4.0 could be fooled by a photo of the registered owner. Unfortunately, this was later verified on video, putting a serious dent in Google's claim to security.
Since then, biometric security has continued to improve despite initial setbacks. However, a new attack demonstrated by a team at Michigan State University has shown a new way to fool the fingerprint sensor in the Samsung Galaxy S6 and Huawei Honor 7.
The attack involved the creation of a spoofed fingerprint using a photograph of the owner's fingerprint and the use of a Brother MFC-J5910DW printer equipped with silver conductive ink cartridges and transparent film supplied by AgiC.
AgiC, originally crowdfunded on Kickstarter, created its conductive ink and transparent film to bring printable circuits to people of all ages and experience. Given the conductivity of the ink, it made an ideal candidate for emulating a live fingerprint.
As can be seen in the video above, the spoofed fingerprint allowed access to the smartphone after being applied to the fingerprint sensor. However, the MSU publication noted that the "Huawei Honor 7 is slightly more difficult to hack (more attempts may be required) than Samsung Galaxy S6."
At the very least, the research has highlighted that anti-spoofing countermeasures in biometrics must continue to evolve to thwart such threats. Even though this specific attack requires a level of skill, resources and patience, perhaps beyond that of a casual hacker, it does serve as a reminder that modern biometric security is not infallible.