Fingerprint sensors may not be as safe as they are touted to be, a recent study revealed. A team of researchers at New York University and Michigan State University noted that smartphones can be easily unlocked and manipulated using fake fingerprints that were digitally developed to contain various features of an authentic human finger print.
According to the research team, 60 to 65 percent of all human fingerprints contain a loop pattern. The experts also said that 30 to 35 percent of human fingerprints have a whorl pattern and around five percent have an arch pattern. With these data on hand, the research team developed a set of digitally-produced, artificial MasterPrints. These artificial fingerprints worked by taking advantage of how smartphones scanners analyzed human fingerprints.
According the researchers, smartphone scanners are too small that they required multiple pictures of the fingers. This in turn increased the room for error and device susceptibility as smartphone scanners only had to match one print to any saved image to unlock the device. Professor Nasir Memon from New York University likened this to having up to 30 passwords, in which an attacker only needs to identify one to completely access the device.
“A number of consumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrolment to ensure that at least one of them will successfully match with the image obtained from the user during authentication,” the researchers said in DailyMail.co.uk.
Upon testing, the research team found that the artificial prints were able to unlock any phone model 65 percent of the time. Professor Memon cautioned that if someone was able to develop a glove that contained a MasterPrint in each finger, he could access 40 to 50 percent of iPhones within the allowable five tries before the phone demands a personal identification number. (Related: Protect yourself from any potential cyberattack by reading the articles on CyberWars.news).
“It’s almost certainly not as worrisome as presented, but it’s almost certainly pretty darn bad. If all I want to do is take your phone and use your Apple Pay to buy stuff, if I can get into one in 10 phones, that’s not bad odds,” Professor Andy Adler added in a separate article in NYTimes.com. Prof. Adler, who studies biometric security systems, is a Professor of Systems and Computer Engineering at Carleton University in Canada.
However, outside expert Professor Stephanie Schuckers of Clarkson University remained wary of the study’s results. According to Professor Schuckers, the researchers used a mid-range, commercially-available software designed to match full fingerprints. She stressed that smartphone manufacturers and other industries relying on fingerprint technology are currently examining the use of anti-spoofing programs to detect certain features of a real human finger such as perspiration and patterns in the deeper layers of skin. The professor also cited a fingerprint sensor from Qualcomm, which makes use of ultrasound. Professor Schuckers currently serves as the Director of the Center for Identification Technology Research.
In the team’s defense, outside expert Chris Boehnen stressed that the recent findings on the susceptibility of partial fingerprints to spoofing may have serious implications. Boehnen currently serves as the Manager of the U.S. Odin program. The program, part of the Intelligence Advanced Research Projects Activity, examines ways to defeat biometric security attacks.