Another Blow to the Biometric ID Fairy: Researchers Show ‘Master’ Fingerprints Can Bypass Smartphone ID Sensors

By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She is currently writing a book about textile artisans.

Motherboard ran a piece last week that suggests the biometric identification fairy’s days may be numbered – at least in her ability to protect smartphones, Researchers Created Fake ‘Master’ Fingerprints to Unlock Smartphones.

The original paper announcing the research results is DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent Variable Evolution.

According to Motherboard:

AI can generate fake fingerprints that work as master keys for smartphones that use biometric sensors. According to the researchers that developed the technique, the attack can be launched against individuals with “some probability of success.”

….

In most cases, spoofing biometric IDs requires making a fake face or finger vein pattern that matches an existing individual. In a paper posted to arXiv earlier this month, however, researchers from New York University and the University of Michigan detailed how they trained a machine learning algorithm to generate fake fingerprints that can serve as a match for a “large number” of real fingerprints stored in databases.

I won’t discuss the technical details here, and refer interesting readers to the complete paper linked to above.

Although the paper focused on smartphone fingerprint sensors, I note that the authors of that paper think that their method has broader applicability (from the abstract):

Recent research has demonstrated the vulnerability of fingerprint recognition systems to dictionary attacks based on MasterPrints. MasterPrints are real or synthetic fingerprints that can fortuitously match with a large number of fingerprints thereby undermining the security afforded by fingerprint systems….

The underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis [my emphasis].

This Is Bad News for the Biometric ID Fairy

Now, Motherboard has a touchingly optimistic faith in the biometric ID fairy’s capabilities (even while appreciating that researchers have shown it is possible to spoof these systems).

Biometric IDs seem to be about as close to a perfect identification system as you can get. These types of IDs are based on the unique physical traits of individuals, such as fingerprints, irises, or even the veins in your hand. In recent years, however, security researchers have demonstrated that it is possible to fool many, if not most, forms of biometric identification.

A couple of problems here, which I discussed at much greater length in this post from last year, Biometric ID Fairy: A Misguided Response to the Equifax Mess that Will Only Enrich Cybersecurity Grifters and Strengthen the Surveillance State. First, unlike a password or number, biometrics cannot be changed. So if your biometric ID is hacked, you cannot replace your fingers, or get a new eyeball.

Second is the confusion between identification and authentication — which in that post, our own Richard Smith described as a “big unsolved problem”– until we figure out how to build hackproof systems. (In the interests of keeping this post short, I won’t repeat those arguments here – as they’re not central to this discussion. I refer interested readers to that prior post.)

Beyond Smartphones

This paper focused on smartphones only- but the researchers suggest their research has broader applicability.

Does this mean that bands of marauding mischiefmakers will overnight find ways to breach existing security systems?

No.

Why?

Four points here. First, the current state of research is at the proof of concept stage – rather than on the verge of designing systems that can weaponize the concept. Or at least it seems, based on publicly reported research — who knows what the criminal masterminds are up to in their secret lairs?

Second, for ergonomic reasons, smartphone fingerprint systems are small in size, and obtain only partial images of a user’s fingerprint. According to the paper (p.1):

Since small portions of a fingerprint are not as distinctive as the full fingerprint, the chances of a partial fingerprint (from one finger) being incorrectly matched with another partial fingerprint (from a different finger) are higher.

Meaning that it may be much more difficult to achieve similar results when matching full fingerprints.

Third, hardware, algorithms, and more rigorous engineering all matter here, and all cost money, wrote a security expert I consulted (unfortunately, having neglected to secure permission to use this person’s name, I’ve elected not to attribute these thoughts directly, and trust I will be forgiven for shamelessly cribbing some of the following ideas – sometimes in the same words that they were conveyed to me). In the design of the most secure systems, groups with resources tend to build layered defenses that lever multiple factors: e.g. something you know – a password; something that you own – an ID card; something that you are – a biometric. On top of that, such systems also incorporate additional controls (e.g. man traps, armed guards, CCTVs). The more of these elements the system incorporates, the more secure it would be – although the cost of creating and maintaining such a level of security is significant.

Fourth, when designing the ID system itself, in the trade-off between systems that produce lots of false positives – e.g., allowing you or I to pass as Donald Trump and enter the White House situation room (assuming we could get the hair and mannerisms right) – and too many false negatives –  e.g., preventing Donald Trump from entering the room – the more secure systems skew toward minimizing false positives, at the expense of allowing more false negatives. This is how it should be. In these more secure systems, biometrics would be only one part of the security protocol, and there are presumably real live humans involved who can override or reboot the protocol – or use a back-up procedure – if a problem were to arise.

By contrast, smartphones err to the side of the fingerprint ID spectrum that minimizes false negatives. They are presumably engineered to allow users who’ve had a night on the town to be able to access their system – no matter the deterioration in fine motor skills that might have resulted from said night on the town. Plus, they’re designed to work even if the fingertip presented is in less than an optimal state: if it’s marred by the remnants of ribs, fish and chips, kebabs, or the vegan equivalent. Even with one’s finger in such a condition, users still expect to be able to use their smartphones.

All I’m suggesting here is that if the concept is proven using smartphone fingerprint sensors, it may not necessarily work with more sophisticated sensors – and further research would be necessary.

Also, permit me another aside. At present, who would bother creating such a hacking system?  It might just be easier either to use tried and tested stick ‘em up methods – “Insert your finger, or grandma gets it” – or simple state coercion – “Insert your finger, and I’ll clear you through passport control”- rather than employing the engineered fruits that may follow from the research discussed here.

The Bottom Line

Research like this is another reason the biometric ID fairy can’t solve ID theft and fraud problems. Also, it suggests hackers might exploit this vulnerability of  smartphone fingerprint sensors – perhaps sooner rather than later – and compromise your device. But I suspect, dear readers, most of you already know that.

Print Friendly, PDF & Email

16 comments

  1. Sparkling

    Not obvious at all. I had no idea that current technology was capable of duplicating an actual fingerprint. That being said, it was inevitable that hackers would find a way around this sort of thing– they always do.

    Reply
  2. Synoia

    Fingerprints also fade with age and use of fingers. They are subject to wear, and moisture levels in the skin.

    Old dry fingers yield poor prints.

    Thus I conclude one must take up a life of crime after the age of 50. /s

    Reply
  3. a different chris

    Hint: everything the tech industry is doing today has basically been explained in the Wizard Of Oz. In other words, way way less than it appears. A little guy behind an impressive curtian.

    I suspect – don’t know, but c’mon this is what they do – that they break the fingerprint down into parameters. These parameters can, if you like, be reconstructed into a “fingerprint”. The problem is that I don’t care how many parameters you have, you can’t do the famous xkcd “correct horse battery staple” analysis because a whorl on my finger has to continue for a ways. So unlike “horse” and “battery”, which have no connection anybody can really imagine, all those parameters are not independent.

    At least not until you get to the point where every parameter is simply a pixel. And if you have too many parameters (aka every pixel must match) then you can never get the darn thing to work.

    You can’t win this game. But you can get a lot of fawning press and $$$$ (can’t get chicks though, because, well software engineers) and the rest of us get fooled again.

    Reply
  4. flora

    The “old school” way to spoof a fingerprint, at, say, a fingerprint security door lock, was to wait until someone with valid credentials to open door used their fingerprint to enter; then ‘bad guy’ uses a piece of cellophane tape pressed lightly over the door’s fingerprint reader to lift the print (the oils left behind) from the reader; then ‘bad guy’ uses the tape in future by holding it in front of his own finger to press the fingerprint reader.

    Newer “old school” spoofing tech is printing a photo of a fingerprint on a surface and using that. The ink or toner creates a surface. From 2013:
    https://www.imore.com/touch-id-fooled-not-hacked-lifted-fingerprint

    But Chaos Computer Club spokesman Frank Rieger says biometric security like Touch ID has more nefarious implications.

    ” Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

    Now tech has created a master finger print – like a door lock master key. Not surprising.

    Reply
  5. Anders K

    Typo’s and minor things:

    The first section starting with “Third” seems to have a font size change.

    The second section starting with “Third” should, probably, be starting with “Fourth” instead.

    Some comments:

    @Sparkling:
    What is described here is not attacking the fingerprints as such, but the system that reads the fingerprints. As a different chris mentions, what is likely to happen is that the scanner converts your fingerprint (the part that it seems) into data, and then comparing the stored data with the newly scanned data. If the parameters match – or are sufficiently similar – the fingerprint is identified as the belonging to a user and the person accessing the phone is authorized to use it.

    In general, there is a reason why some more secure settings usually require you to input your PIN code instead (not that the regular pin codes are that much of a protection). As said in the main article, fingerprints and face ID are used as conveniences rather than adding more security.

    True security for smartphones would ideally require some sort of dongle – maybe a USB-C stick which you keep on a bracelet, which some data that, when coupled with your password, decrypts your phone. Note that such a phone would not be useful when not decrypted (maybe a hybrid feature could allow some unsecure communication in memory only, but this is not secure), to the extent of not getting any emails while you are not logged in.

    As it is, the current use patterns of our phones do not match with how a truly secure device might be designed, and we will not be able to get to really secure smartphones from where we stand. We may get secure-ish areas, and you can certainly up your security a smidgen by encrypting your phone, not allowing apps access to the lock screen, but all of these security features tend to take away ease of usability.

    Note that a truly secure smartphone is not in the interest of that many people, and some organizations are most likely actively working against it, and couple it with the probable low market interest, and you are likely to get secure-ish smartphones only at high prices and only from a small number of places. This increses the chance that a vulnerability sneaks in by mistake, and marks anyone using such a device as someone with something to hide.

    Reply
    1. Jerri-Lynn Scofield Post author

      Thanks for your comment. I’ve corrected the typos and minor things – and appreciate you bringing them to my attention.

      Reply
  6. Marco

    “By contrast, smartphones err to the side of the fingerprint ID spectrum that minimizes false negatives. They are presumably engineered to allow users who’ve had a night on the town to be able to access their system – no matter the deterioration in fine motor skills that might have resulted from said night on the town. Plus, they’re designed to work even if the fingertip presented is in less than an optimal state: if it’s marred by the remnants of ribs, fish and chips, kebabs, or the vegan equivalent. Even with one’s finger in such a condition, users still expect to be able to use their smartphone.”

    Are they really designed to work when your fingertip is in less than an optimal state? Of course this is only my own experience but my Touch ID (Apple) does not work 90% of the time when it’s raining/when I have wet fingers. Neither does it work when I have ribs, fish and chips, kebab or any food equivalent on them. And who wants to smear that **** on their phone in the first place? Wash your hands first, the glass already gets dirty so quickly!

    Reply
  7. Karma Fubar

    “MasterPrints are real or synthetic fingerprints that can fortuitously match with a large number of fingerprints…”

    I like the idea that there might be some people that have been born with the master print, and have the near magical ability to unlock a large number of “secure” devices. This superpower is almost certainly unknown to them at the moment; no one ever having thought to look for it. The FBI must have a huge file of fingerprints, and could be searched with these master prints as an input to find individuals with close or exact matches.

    Not sure what you would do or tell these people if you found master print matches.

    But it does make for a good plot point for a modern e-crime caper movie.

    Reply
    1. Jeff W

      …some people that have been born with the master print, and have the near magical ability to unlock a large number of “secure” devices.

      Haha, I love that! It would make for an interesting e-crime caper movie except that maybe the FBI would have a good idea who the perpetrators might be if its records are being used to find those people in the first place.

      Reply
  8. chuck roast

    Fidelity asked me if I wanted to switch from a letter/number ID to a “voice activated” ID to access my account. I don’t think that they cared for my response when I activated my voice.
    Also, I make them send me paper copies of my accounts every month.
    They keep requesting that I go digital. I like my digits to pick up the mail. I firmly expect that one day my balance become so low that they tell me to buzz-off with the rest of hoi-polli.

    Reply
  9. The Rev Kev

    If somebody gets arrested, they take them downtown where they book them in, take photographs of them and fingerprint them. And yet people in recent years have piled on to being ID’d as well as submitting their photographs and giving their fingerprint. Strange that. Certainly with technology and a few street smarts, it was only a matter of time before mobiles could be spoofed to give up access and here is proof of that. Maybe time to go back to obscure passwords again, even if it is not considered ‘cool’. More to the point, going back to dumb mobiles that do not have this ID capability.

    Reply
    1. Prairie Bear

      Also, mailing off their DNA sample to some place, along with a signed, 10,000-word user agreement they haven’t read. I strongly suspect that at least once over the years, that’s been gathered via some medical visit anyway, along with results of blood tests I haven’t agreed to. I’ll be damned if I make it easier for them.

      Reply
  10. Hepativore

    How would biometric ID systems also get around the problem of criminals killing somebody and using their severed hand or eye to unlock various devices? Will a fingerprint or retina scanner still work even if they came from somebody recently deceased?

    Reply
  11. charles 2

    I would object to the assertion that “Identification and Authentication are big unsolved problems”. In the US maybe, but in my country of residence, identification is performed by simultaneously :
    1) compare two fingerprints to database (the two fingerprints have low correlation)
    2) compare with face
    3) visual inspection by a human
    then, and only then, can you type your secret password (the officer literally hands you its keyboard) that will serve as authentication as strong as the password you choose.
    If, like me, your memory is not strong enough to remember all your password, you can opt-in for a 2FA physical security token (as I store my passwords on my smartphone, mobile based 2FA would be useless).
    All government services are secured by this authentication, including the equivalent of social security.
    The only missing piece is that the private sector is slow in taking it up (there is an authentication API available), in particular the banks. As of today, only securities company (broker dealers and the exchange) are using it, but, notably, not the banks and credit card companies to open accounts.
    This being said, I would have to admit that the problem is solved only at a technical level, not a human one. Following successful phishing attacks, the government decided to switch to all-biometric authentication in the future to essentially protect people from themselves. Another example of a good engineered solution wasted by politicians… I hope that I will still have the option to keep my password !

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *