Toshiba Puts Fingerprint Readers on Cell Phones

An anonymous reader writes "As if it wasn't enough to have fingerprint scanners on laptops, Toshiba has put them on two of its latest smart phones. The Toshiba G500 and G900 feature fingerprint scanners on the back of the handsets, allowing users to access their phone by simply sliding their finger over the scanner. This is supposed to provide a better level of security than using a code of some sort. Of course it also means that someone is more likely to chop your hand off if they desperately want your data."

I'd slide it a finger allright...

[Zapotek]

The Toshiba G500 and G900 feature fingerprint scanners on the back of the handsets, allowing users to access their phone by simply sliding their finger over the scanner.

...and that would be the middle one.

IMHO it's far more complex than necessary, more cool features == more things waiting to fail.

Re:I'd slide it a finger allright...

[SimonInOz]

I have one of these Toshibas. The fingerprint scan works mostly - but it doesn't work very well if you are cold (maybe it thinks you are dead ... how would Spike [a vampire - info for those foolish few who don't follow Buffy] operate one of these?)
Also the software for handling the login process is pretty sucky - it's hard to handle the mail server which tends to come up with different names, etc etc. I eventually disabled it for all except the main login, which works well enough to cope with. I have done better than most - who have given in.

On a phone, it could be a pain - but at least it has to do only one thing. Entering a six digit password (as I must on my corporate Blackberry) is *very* painful, though, and a fingerprint scan would defintely be better than that.

Re:I'd slide it a finger allright...

[Cheetahfeathers]

Driving needs too be a phone free situation, hands free phone or not. Studies on the subject have shown that hands free phones are little better for driving than a hand held unit. http://www.livescience.com/humanbiology/060629_cel l_phones.html

Re:I'd slide it a finger allright...

[HairyCanary]

If we ban hands free cell phones in cars, we might as well ban passengers too. And kids. At some point we just have to accept that personal responsibility needs to play a larger role than law.

Better security?

[Niten]

Of course it also means that someone is more likely to chop your hand off if they desperately want your data.

More realistically, you'd also have to worry about somebody lifting your fingerprint from, say, the phone itself, then using that to log in. The MythBusters did a segment showing how easy it is to lift somebody's fingerprint, then use that print to defeat a scanner.

This thing isn't going to increase security, it's only going to increase convenience.

Re:Better security?

[sporkme]

You're absolutely right, but I would argue that it does not really even increase convenience. The last thing I need when my phone is ringing in a meeting, while driving, or at the dinner table is the horrific realization that I have forgotten to unlock the phone, and thus I must now meticulously subject myself to a fingerprint scan. Furthermore, many of us are negligent with proper care and handling of our cellphones. Until now that might result in a cracked outer screen or intermittently functioning button, but never in a total lock-out of an otherwise functional phone. So what happens when the reader is damaged? A hefty repair bill is what, and up to a month without that uber-vital super-secret data that just had to be protected with biometrics.

I have always felt that fingerprint scanning was ridiculous and cumbersome sci-fi, but real tests against this kind of security have shown that it is a waste of time and money. There is no replacement for properly managed and complicated password systems coupled with strong encryption. I regularly show friends and family how to create passwords that can be remembered but not guessed, and how to manage passwords that are outdated.

This reminds me of two prior /. stories. Bank employees merrily collected USB flashdrives that were scattered outside and proceeded to plug them into their terminals. Old cellphones purchased on eBay reveal secret data.

Re:Better security?

[MobileTatsu-NJG]

"This thing isn't going to increase security, it's only going to increase convenience."

Easy to defeat != no effect on security. Otherwise nobody'd lock their car doors. Afterall, it only takes a hammer to get in.

Re:Better security?

[jrumney]

The last thing I need when my phone is ringing in a meeting, while driving, or at the dinner table is the horrific realization that I have forgotten to unlock the phone

On every phone I have seen, you can answer incoming calls when the phone is locked. What you can't do is make outgoing calls, or browse through the phonebook, calendar and other personal information on the phone. I don't see any reason why this would change just because the authentication technology changed from a PIN to a fingerprint.

Re:Better security?

[jrumney]

When biometric technology was new, it was expensive, and the only customers were military and other high security installations who are always looking for ways to increase the perception of security, if not the actual security. So technology to measure pulse, body temperature etc was built into the scanners from an early stage, to counter the sci-fi movie ideas of cutting off fingers, ripping out eyeballs etc to get around the biometric security.

More recently though, there has been a drive to cut costs and minaturize the scanners so they can be included in laptops and phones. I wouldn't be surprised if these scanners were susceptible to some of these basic attacks, perhaps even allowing access to 2D reproductions of a fingerprint, which is the most likely exploit to be tried.

Re:Better security?

[ngc3242]

As someone that works for a major fingerprint sensor manufacturer, I can say that the MythBusters did not select high quality sensors to test against. I'm getting a little tired of people who's entire pool of knowledge about fingerprint sensing is based on this one television making conclusions based on bad information. I'm not familiar with the door lock sensor specifically, but I can tell from observing it that it is an optical sensor. Whatever live tissue sensing that manufacturer claims to have is obviously not very good because the sensor was defeated with a moist picture of a fingerprint. The sensor they used on the computer I am familiar with, and it is about three years old. It is, however, based on a much better technology where flesh is live layer of skin is imaged using RF. Unfortunately, the sensor they used is not state of the art, and in fact probably may have been fooled by the circuit board they etched without going to the additional trouble of making the gel finger. Current technology is collecting more information, and is much harder to fool. Which of course implies that it isn't perfect, but it what is? The real issue for me is "is fingerprint technology increasing or decreasing security?" The narrator made a comment that beating those sensors took them 3 days. In some cases this represents an improvment in security, although not probably for a computer users password (due to brute force password attempts causing lockout..if you have the opportunity to brute force without causing a lock out, then 3 days is probably longer than the password hack would take for most user's passwords.) Think about what the finger print door lock is replacing. One of those mechanical pin locks? Brute forcing a 4 digit pin doesn't take too long, and you can drastically reduce the time required simply by observing someone use the lock and observing a digit or two. You could use a chemical that flouresces under ultraviolet light to see which pins get pressed. For a keyed lock you can just got out and buy a lock picking device. There are certainly cases where even this really bad lock is an improvement. Regarding the phone, even as strictly a convience feature the fingerprint sensor is a nice to have. The Japanese have been using sensors in phones for years, and they love them. You can think of the sensor as a little touch pad for your phone if you don't want to use it for security. You can cursor around menus and play games using the fingerprint sensor as a touch pad. Generally, stay away from sensors that only require you to touch the device and hold your finger there. Touch sensors are either optical sensors which need to have some sort of supporing live tissue sensing technology or a really old non-optical sensor. The new non-optical sensors all look like the ones on this phone. A small sliver of silicon over which you drag your finger.

Nice way to get everyone's finger print on record

[Pizaz]

I mean really, what's the guarantee that your fingerprint data wont be uploaded through the network and stored in a big database somewhere?

gummy bears

[MillionthMonkey]

That stuff they make gummy bears out of is great for making fake fingerprints using someone's latent print, some crazy glue, a digital camera, Photoshop, a transparency sheet, a photo-sensitive PCB, and gummy bear gelatin. You can destroy everything but the gelatin, break into a facility that uses a fingerprint reader for security, and then eat the last bit of evidence.

Already Existing Technology?

[Poptarts]

If I'm not mistaken, this technology has already been implemented in some Japanese phones. I recall seeing it advertised on the http://www.nttdocomo.com/ website more than a year ago. Other features at the time included what equates to our PayPass, except that it was inside your cell phone. Another more widely used feature was the barcode scanners that would allow you to take a picture with your phone's camera of a square-shaped barcode that could be found on many advertisements and products and then find more information using the phone's web browser. Perhaps I misread the website a long time ago, but I'm pretty sure some other phone has already been released with that capability.

Backdoor?

[VincenzoRomano]

Almost all phones have backdoors that can be used easily without opening the phone itself.
All of them can be "cracked" by opening the case.
Both are available for repair centers (and hackers as well).
So if someone really needs your data, he will get them, with or without your chopped finger!

Re:But I Have

[Shadyman]

Well, it sounds like you need a hand.

Give him a hand?

[MarkRose]

If someone wants to chop my hand off to use my cell, well, I'll just give him the finger!

Nothing new!

[KNicolson]

My wife's phone from three years ago had one. It also incorporated a dog game/simulator, and one of the ways to make the dog happy was to get your fingerprint swiped in order to pet the dog.

Now, what is new and interesting is the 813SH for Biz which has a remote control data destruct option, or even the slightly older P903i which comes with a wireless DES dongle that locks the phone once it gets out of range.

Re:I'll buy one

[DrSkwid]

> The need for security is actually higher for a mobile handset than for a laptop, as they get lost far more often.

So why carry unencrypted sensitive data on them ?

What happens if the scanner breaks?

[antifoidulus]

I asked this at a research conference once(it was about mobile phone security as well) and the researcher, who had drawn out all these equations showing how wonderful the fingerprint security was couldn't answer me. For a device like a mobile phone that tends to get tossed around and abused a lot, I wouldn't imagine that the scanner breaking would be all that rare of an occurence. However, the researcher just said that if the fingerprint scanning device was broken, then you could use a password instead, of course this was after he spent the first 5 minutes of his presentation telling us how passwords were insecure. Assuming that passwords are insecure, wouldn't the first thing an attacker does when getting the phone be to smash the fingerprint scanner? Then what was the point?

fingerprint recognition

[Elusive_Cure]

as i have previously mentioned in an older post, i used to participate in a reasearch at my uni for a major mobile phone company (sony ericsson) for the implementation of fingerprint recognition on cell phones and other mobile devices (PDAs,notebooks,etc). Personally i preffer the fingerprint sollution rather than the RFID one because the phone's security is up to you and not as "hollow" as RFID can be by the use of reverse engineering. It's simple, if your phone is stolen the perp needs to have your thumb or else the phone is just another piece of garbage. You cannot reverse engineer a fingerprint simply because you cannot have a clue on how the actual fingerpint is shaped, while the scanning software is something very ubiquitous and tough to be "hacked" by someone who hasn't got a clue of the scanning algorithms.

Re:If it works as badly as Lenovo's...

[Dunbal]

If someone's actually willing to chop of your finger or hand, are you really going to give them a hassle about it?

      You bet.

      What, are you just going to "do what the gun says"? Your best chance is to try to get away. Who says they're not going to kill you, if they're willing to cut your finger off. Why leave a witness alive?

Oh dear, where do I begin..

[cheros]

Groan. Here we go again..

I think Toshiba is breaking new ground with this phone and its release is likely to start a trend.

I most certainly hope not, for reasons stated below.

The need for security is actually higher for a mobile handset than for a laptop, as they get lost far more often.

The need for protecting an asset has little to do with the frequency or potential for loss, more with the information that would be lost or compromised (different facets with different ratings) and that is a very personal assessment. The Paris Hilton hack was very dangerous because her Sidekick contained personal numbers for people that have to fight hard as it is to have some sort of private life and security, but a Mr Average phone is not going to hold data of sufficient value to offer up irreplacable body parts for. You can replace a phone, you can replace numbers but you can't replace a cut off finger (given the likely conditions under which the amputation would occur you can give up any hope on re-attachment as well).

And despite the various comments about cutting off fingers and lifting fingerprints, have we seen much of that in the laptop world? No. Will it happen one day? Maybe.

In laptop world the fingerprint scanner is (a) a relative new device and (b) not working so well, so thankfully most people don't use it. Also, most laptops are removed without the users' knowledge because it's often important to have some time before the theft is discovered (in case of targeted theft) and (using Windows) breaking into the unencrypted device is just a matter of booting up from a CD.

Now imagine a world where biometrics are the ONLY way to gain access - at that point you will lose the option to give in under threat and provide a password - your finger WILL be used, with or without you inconveniently attached to it. It can get even worse: with passwords it requires on your collaboration so there's an interest in keeping you alive. With biometrics-only devices an assailant has the wonderful option of killing you first, then using your chopped off digit in the comfort of his own place with a nice cold beer. That's quite a handy option for them because it stops you from becoming a risk later.

So, with implementing biometrics I would ask the Clint Eastwood question: "Do you feel lucky?".

What if ...

[toygar.ozturk]

my hands are dirty?

The Man

[Dystopian+Rebel]

unless you already think that "The Man" will do what it wants, no matter what

Fortunately for democracy in the USA, The Man is strictly limited in what He can do by the Patriot Act.

yeah

[DrSkwid]

*surely* there's only *one* binary

congratulations, you're number 3 (0100) not 2 (0011) or 1 (0001)

to feel the need to correct me