Security and convenience don’t often go together very well – if you have too much convenience, you probably don’t have enough security.
Fingerprint authentication on smartphones supposedly gives you both.
You have the security of locking your device to keep thieves from accessing your private stuff, combined with the convenience of unlocking your device without entering a password – just swipe your finger across the sensor embedded in your phone.
There’s a problem, however, because fingerprints aren’t secret (we leave them everywhere), and they can be copied with a photo.
It wasn’t long after Apple unveiled the iPhone 5s and biometric locking with Touch ID that hackers at Chaos Computer Club (CCC) punctured its aura of security by tricking the sensor using a “stolen” fingerprint.
Their method involved making a copy of the targeted person’s fingerprint with a high-resolution image, printing it out a reverse of the fingerprint using heavy amounts of printer toner to create a mold, and then making a dummy (or “spoof”) fingerprint with wood glue.
Another group of researchers used the same method to hack the fingerprint sensor on the Samsung Galaxy S5, proving that the weakness of fingerprint authentication wasn’t limited to Apple’s implementation.
Now a different pair of researchers have streamlined the process, using a regular 2D inkjet printer to make a usable copy of a fingerprint with silver conductive ink cartridges and AgIC paper.
No mold necessary or glue to dry – just scan the fingerprint, print it out on the special paper, and swipe.
The researchers, Kai Cao and Anil K. Jain from the Michigan State University department of computer science and engineering, published their findings last month and demonstrated the fingerprint spoofing in a short video.
The researchers said they tried out their method on two smartphone models – a Samsung Galaxy S6 and a Huawei Honor 7.
It worked on both phones, although the Huawei Honor 7 was “slightly more difficult to hack,” than the Galaxy S6, requiring more swipe attempts to unlock.
As the researchers noted in their paper:
This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems, especially for mobile devices which are being increasingly used for unlocking the phone and for payment.
Smartphone makers are trying other forms of biometric authentication – such as iris or facial recognition – but how long until those techniques are hacked too?
Image of fingerprint key courtesy of Shutterstock.com.