Security and convenience don’t often go together very well – if you have too much convenience, you probably don’t have enough security.
Fingerprint authentication on smartphones supposedly gives you both.
You have the security of locking your device to keep thieves from accessing your private stuff, combined with the convenience of unlocking your device without entering a password – just swipe your finger across the sensor embedded in your phone.
There’s a problem, however, because fingerprints aren’t secret (we leave them everywhere), and they can be copied with a photo.
It wasn’t long after Apple unveiled the iPhone 5s and biometric locking with Touch ID that hackers at Chaos Computer Club (CCC) punctured its aura of security by tricking the sensor using a “stolen” fingerprint.
Their method involved making a copy of the targeted person’s fingerprint with a high-resolution image, printing it out a reverse of the fingerprint using heavy amounts of printer toner to create a mold, and then making a dummy (or “spoof”) fingerprint with wood glue.
Another group of researchers used the same method to hack the fingerprint sensor on the Samsung Galaxy S5, proving that the weakness of fingerprint authentication wasn’t limited to Apple’s implementation.
Now a different pair of researchers have streamlined the process, using a regular 2D inkjet printer to make a usable copy of a fingerprint with silver conductive ink cartridges and AgIC paper.
No mold necessary or glue to dry – just scan the fingerprint, print it out on the special paper, and swipe.
The researchers, Kai Cao and Anil K. Jain from the Michigan State University department of computer science and engineering, published their findings last month and demonstrated the fingerprint spoofing in a short video.
The researchers said they tried out their method on two smartphone models – a Samsung Galaxy S6 and a Huawei Honor 7.
It worked on both phones, although the Huawei Honor 7 was “slightly more difficult to hack,” than the Galaxy S6, requiring more swipe attempts to unlock.
As the researchers noted in their paper:
This experiment further confirms the urgent need for antispoofing techniques for fingerprint recognition systems, especially for mobile devices which are being increasingly used for unlocking the phone and for payment.
Smartphone makers are trying other forms of biometric authentication – such as iris or facial recognition – but how long until those techniques are hacked too?
Image of fingerprint key courtesy of Shutterstock.com.
Joe Lansing
Why do you say that are based at University of Michigan? Everything about them says MSU, from the Sparty in the video, to their web site at msu.edu
John Zorabedian
Apologies to Spartans everywhere, we’ve corrected the error.
Caleb
The brand name is “Huawei”, not “Hauwei”.
Paul Ducklin
Fixed, thanks.
Andrew Ludgate
I’ve posted this elsewhere as well, but security through obscurity helps for fingerprint scanners. A fingerprint scanner will work with any conductive surface, not just your fingertips. For best use, why not calibrate against some other part of your hand? Anyone attempting to crack the fingerprint has to guess the exact location you used in the number of tries allotted.
As long as you avoid using your thumb tip or index finger tip, it’s highly unlikely that anyone will ever be able to lift the correct print and use it before they hit the passcode lockout.
Next: use a 10+ character passcode on your phone; don’t stay with the default length.
Wilderness
I remember Steve Gibson talking about this in his webcast. A government employee was at Disneyland and they required a fingerprint for some reason, but he couldn’t legally use his since he used them to access top secret information. So instead, he used his knucke-print instead of his fingerprint. It worked and everyone was happy.
Brian T. Nakamoto
Fortunately, Hollywood has been demonstrating the vulnerability of fingerprint scanners for years. ;)
em vee
biometrics has always been one of those ideas that sounds good at first but falls apart in any number of real world scenarios
fingerprints especially have always been easy to hack, but any visual scanning technique (or audio for that matter) can be spoofed eventually
beyond spoofability, there are many unanticipated situations where someone else needs access or must be authorized for access; most biometric schemes fail to address this
what happens when a person dies? are their accounts, devices, etc forever locked away? or maybe is injured, perhaps very serioiusly (loses a hand, or eye, for example)?
less morbidly, in an enterprise, people come and go, sometimes suddenly, and there must be a way to transfer authentication and access; or various emergency scenarios
i could go on, but you get the point — biometrics for authentication and access control is simplistic and naieve