Researchers from two universities were able to spoof some fingerprint-based security systems, demonstrating the possibility of creating a master print to unlock phones.
Fingerprint-based authentication systems, commonly used in modern smartphones and tablets, could be less secure than originally thought, according to new research released Tuesday. Because these systems scan and store partial versions of fingerprints, those partial prints can be more easily matched, university researchers said.
The findings, announced via press release, come out of the New York University (NYU) Tandon School of Engineering and Michigan State University College of Engineering. The initial theory was that the researchers could create a "MasterPrint" that could potentially match to many different partial prints, and give them access to a user's device.
Nasir Memon, a professor at NYU said that the team used the concept of a hacker guessing a PIN number as 1234, which works about 4% of the time. While the number may seem low, Memon said in the release that it is a "relatively high probability when you're just guessing."
Memon worked with NYU postdoctoral fellow Aditi Roy and Michigan State University professor Arun Ross on the study, examining some 8,200 partial fingerprints for potential MasterPrints. According to the release, the team used a commercial fingerprint verification software, noting that, for every 800 partial prints, there were 92 potential MasterPrints that could reach the 4% benchmark in a random batch of partial prints.
While team was only able to uncover one full-fingerprint MasterPrint in a sample of 800 prints, the partial print MasterPrint showed much higher match success rates. After taking the MasterPrints created from real fingerprint samples, they used an algorithm to build synthetic partial MasterPrints, which showed a greater match potential for fooling the fingerprint scanner security systems than the MasterPrints created from real samples, the release said.
"With their digitally simulated MasterPrints, the team reported successfully matching between 26 and 65 percent of users, depending on how many partial fingerprint impressions were stored for each user and assuming a maximum number of five attempts per authentication. The more partial fingerprints a given smartphone stores for each user, the more vulnerable it is," the release said.
While the work was conducted in a simulated environment, Roy said in the release, the creation of these MasterPrints does pose a security concern for device spoofing. It also points to the need for the creators of these security systems to update their design.
"As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features," Ross said in the release. "If resolution is not improved, the distinctiveness of a user's fingerprint will be inevitably compromised. The empirical analysis conducted in this research clearly substantiates this."
The team's work was focused on what is known as minutiae-based matching, which may or may not be utilized by particular vendors of these fingerprint-based authentication systems, the release said. However, if partial prints are used in the system, especially multiple partial prints, the potential for MasterPrint creation is great.
The 3 big takeaways for TechRepublic readers
- Researchers from New York University Tandon School of Engineering and Michigan State University College of Engineering were able to create synthetic "MasterPrints" to spoof mobile fingerprint scanners.
- Partial prints were used to build the MasterPrints, which matched 26-65% of users.
- The research increases concerns about the security of fingerprint scanners that rely on partial prints, and may inform their design in the future.
- 10 mobile security myths that need debunking (TechRepublic)
- Securing Your Mobile Enterprise (ZDNet)
- Mobile security for iOS: Getting better with CM Security, but slowly (TechRepublic)
- CIA tools exposed by Wikileaks linked to hacking across 16 countries (ZDNet)
- HackerOne CEO: The tech industry has some 'catching up to do' on software security (TechRepublic)