Your smartphone's fingerprint sensor is not as secure as you think
An increasing number of smartphone-makers are treating the fingerprint sensor as one of the most important features any device must have. The technology has enabled users to save time from manually entering passwords. In fact, a fingerprint is all users need these days to buy any product, thanks to services like Apple Pay and Android Pay. Online banking is made much easier too – swipe your finger and you can instantly pay bills or transfer thousands of dollars.
A new research by New York University and Michigan State University however, suggests that smartphones is amongst the easiest tools for hackers to manipulate and use it to their benefit. The paper shared by them investigates the security of partial fingerprint-based authentication systems, especially when multiple fingerprints of a user are enrolled.
“The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size,” the report explains. “To compensate for the limited size, these devices often acquire multiple partial impressions on a single finger during enrolment to ensure that at least one of them will successfully match with the image obtained from the user during authentication.”
Like mentioned previously, numerous cases are such wherein users are allowed to enrol multiple fingers. Since the impressions pertaining to multiple partial fingers are usually associated with the same identity (i.e. one user), a user is said to be successfully authenticated even if it were another person all together. Moreover, even if a partial fingerprint is obtained during authentication, the job of unlocking a device or even transferring money through online banking can be easily done.
While investigating the possibility of generating a “MasterPrint,” which is a synthetic or real partial fingerprint, the research discovered that it is indeed possible to locate or generate partial fingerprints through various means. This in turn, makes it easy for hackers to impersonate a large number of users. The computer simulations conducted by the researchers allowed them to develop a set of artificial “MasterPrints” that could match real prints in smartphones as much as 65 per cent of the time.
“It’s almost certainly not as worrisome as presented, but it’s almost certainly pretty darn bad,” said Andy Adler, a professor of systems and computer engineering at Carleton University in Canada, who studies biometric security systems. “If all I want to do is take your phone and use your Apple Pay to buy stuff, if I can get into 1 in 10 phones, that’s not bad odds.”
When it comes to full human fingerprints, it can get rather difficult to falsify the same. However, finger scanners embedded in smartphones are small and thus, they only require partial fingerprints which makes the task for any hacker very smooth. “It’s as if you have 30 passwords and the attacker only has to match one,” said Nasir Memon, a professor of computer science and engineering at N.Y.U.’s Tandon School of Engineering.
He further went on to indicate that if a hacker creates a “magic glove” with a MasterPrint on each finger, they could get into 40 to 50 per cent of iPhones within five tries or less.
While Google declined to comment, Apple spokesman Ryan James has said that the chance of a false match in the iPhone’s fingerprint system is 1 in 50,000. “Apple had tested various attacks when developing its Touch ID system, and also incorporated other security features to prevent false matches,” he added.
Dr. Memon still uses fingerprint security on his iPhone despite his research, saying, “I’m not worried. I think it’s still a very convenient way of unlocking a phone. But I’d rather see Apple make me enter the PIN if it is idle for one hour.”
