Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fingerprint-Protected Phones Vulnerable To Inkjet Attack (softpedia.com)

Posted by timothy on from the ordinary-household-materials dept.

An anonymous reader writes: Two researchers have come up with a new method of hacking smartphones that use fingerprint biometrics to protect and lock the user's data. Their method only needs a regular inkjet printer, three AgIC silver conductive ink cartridges, a normal black ink cartridge, and special AgIC paper. The entire attack takes no more than 15 minutes. Current tests only included a Samsung Galaxy S6 and a Huawei Hornor 7. The researchers said that while the Samsung was easy to crack, the Huawei phone needed more tries.

56 comments

  1. Well, Duh... by Anonymous Coward · · Score: 5, Insightful

    We keep seeing this over and over again with bio-metric "security". Bio-metrics are not passwords, and should never have been considered as passwords. Bio-metrics are USER ID's, nothing more. They only identify individual users, they do not authenticate them.

    1. Re:Well, Duh... by itsdapead · · Score: 2

      They only identify individual users, they do not authenticate them.

      But... but... even if you've stolen somebody's phone you still need a copy of their fingerprint to use this method. You'd need to get hold of something they'd handled recently, preferably with a nice shiny glass or plastic surface, like maybe a.... Oh, wait, yeah, a mobile phone. :-)

      Seriously, though - there is a role for "weak" protection like this as a "line in the sand" - if you have to break a security measure, however feeble, then its hard to subsequently claim innocence or good faith. That's fine, provided everybody knows and understands that limitation.

      End of the day - fingerprint protection makes your phone more secure than your wallet, and is more convenient than a strong password or PIN. It doesn't make your phone a fortress.

      --
      In a survey of 100 programmers, 111111 thought that duck-typing was a good idea.
    2. Re:Well, Duh... by jimbo · · Score: 1

      Indeed and around here most phones are stolen by crack-heads and the like; there's no way they'll do anything sophisticated. If they can't unlock it immediately they'll try to fob it off on somebody who doesn't realize it's locked or sell it for parts (screen).

    3. Re:Well, Duh... by slashping · · Score: 1

      You'd need to get hold of something they'd handled recently, preferably with a nice shiny glass or plastic surface, like maybe a.... Oh, wait, yeah, a mobile phone. :-)

      Or you simply cut off their finger.

  2. iPhone5S or GTFO by rsborg · · Score: 2, Interesting

    Clearly their tests didn't work against the industry standard-bearer for biometric login, or their title would be different. So has anyone done work on this since the CCC show an expensive, detailed attack?

    --
    Make sure everyone's vote counts: Verified Voting
    1. Re:iPhone5S or GTFO by 93+Escort+Wagon · · Score: 4, Insightful

      If it had worked on an iPhone, the headline would've said "iPhone fingerprint sensor easily defeated with an inkjet printer". The Android phones wouldn't have been mentioned until page two or three of the article.

      --
      #DeleteChrome
    2. Re:iPhone5S or GTFO by Anonymous Coward · · Score: 1

      that is probably true, but I don't understand it. Android phones absolutely trounce Apple in sales, even a single vendor SAmsung destroys Apple in total sales yet the press is always more interested in Apple/

    3. Re:iPhone5S or GTFO by Anonymous Coward · · Score: 0

      So Apple users are more likely to get their finger cut off by criminals or the henchmen of dictators?

    4. Re:iPhone5S or GTFO by JaredOfEuropa · · Score: 1, Insightful

      They do not just trounce Apple in sales, but often in specs as well. But in terms of profits, Apple solidly beats them. Still, I think the main reason that the press is more interested in Apple is simply because the public is. They still perceive them as the premium brand that sets the yardstick and is more secure than the others. "Huawei Horror 7 fingerprint scanner defeated" will not garner nearly as many eyeballs as "iPhone fingerprint scanner unsafe!" in the tech press, and an article about broken Android security would not even run in the mainstream press.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    5. Re:iPhone5S or GTFO by Anonymous Coward · · Score: 1

      Of course the media isn't going to report on Android security being broken. Pretty much everyone already knows that Android isn't secure. Customers don't have an expectation of security when buying Android devices like they do when buying iPhones. That's a fact demonstrated by many surveys of consumers. If you're wanting the mainstream media to run articles about Android being vulnerable to attacks, they should probably also start running stories about how water is wet, the sun goes below the horizon at night, and hot tea is hot. The constant stream of Android vulnerabilities and lack of updates from vendors guarantee that Android will continue to be vulnerable, and nobody expects otherwise.

    6. Re:iPhone5S or GTFO by allo · · Score: 1

      > a fact demonstrated by many surveys of consumers
      Citations or GTFO

    7. Re:iPhone5S or GTFO by Anonymous Coward · · Score: 0

      Of course the media isn't going to report on Android security being broken. Pretty much everyone already knows that Android isn't secure. Customers don't have an expectation of security when buying Android devices like they do when buying iPhones.

      Or the Android buyers just have a more realistic view of tech and tech security than iPhone buyers. Might align well with why they're buying Androids instead of iPhones...

    8. Re:iPhone5S or GTFO by Anonymous Coward · · Score: 0

      > Pretty much everyone already knows that Android isn't secure. Customers don't have an expectation of security when buying Android devices like they do when buying iPhones.

      Or battery life, or games, or a good apps store, either. And with the extensive Java, and a a 3rd party customized Java, they can't expect it to *ever* be reliable.

      Been there, done that, lost a job because of the horrible handling of text messages on a Thunderbolt.

    9. Re: iPhone5S or GTFO by Anonymous Coward · · Score: 0

      Who is buying all these Androids? Mostly I see people using iPhones. Does Google have a phone buying bot?

    10. Re:iPhone5S or GTFO by Bing+Tsher+E · · Score: 1

      I looked at the article summary, and felt refreshed that it wasn't more spam about Apple's Iphone. Thanks for making sure to compensate for that down here in the comments.

    11. Re:iPhone5S or GTFO by Anonymous Coward · · Score: 0

      And with the extensive Java, and a a 3rd party customized Java, they can't expect it to *ever* be reliable.

      What?

      Stop talking about things you don't understand.

    12. Re:iPhone5S or GTFO by Anonymous Coward · · Score: 0

      For iPhones there's the glue fingerprint spoofing attack.

  3. I'm actually surprised by Anonymous Coward · · Score: 0

    That it's that long and complicated. Honestly, for once, I expected it to be something pathetic and overly simple, like what they do on TV.

    Either way, I do not look forward to people taking a finger or an eyeball when they mug you from now on...

    1. Re: I'm actually surprised by Anonymous Coward · · Score: 1

      Then this should be good news for you. They don't need to cut off your finger and pump warm saline through it. One fingerprint is enough.

    2. Re: I'm actually surprised by Anonymous Coward · · Score: 0

      Actually, it makes me wonder about a good 3d printer, the laser jel version, print a finger,with prints?

  4. Re: agreed by Anonymous Coward · · Score: 1

    And? Mother's maiden name falls under one of those categories too, but that doesn't mean either is a good authentication factor.

  5. Re: First Post! by Anonymous Coward · · Score: 1

    As TFA says, the Iphone sensor was already hacked by the CCC. I don't see why the new simpler method shouldn't also work on Iphones.

  6. Lol by Anonymous Coward · · Score: 1

    Or they could be a fan boy like the parent post and not try lol

  7. Hey atheists by Anonymous Coward · · Score: 0, Offtopic

    Why do atheists have funerals?

    Why do worshippers of atheism get dressed up in suits, dress up the CORPSE ITSELF in a suit, hold moments of silence/reflection, all in a formal ceremony for what the atheist religion dictates is nothing more than decomposing matter? Theists' belief of man's transcendent worth answers why they do.

    What is the atheists' answer?

    1. Re:Hey atheists by Anonymous Coward · · Score: 0

      Really? In a story about phones?

    2. Re:Hey atheists by Anonymous Coward · · Score: 0, Offtopic

      Obvious troll is obvious.

      Nonetheless, I'll bite. Atheism isn't a religion. But I don't even know that funerals have a religious purpose in mainstream religions.

      If a deceased person is simply decomposing matter, then there is no point. But there is a form of afterlife that atheists agree exists. That person has a legacy and those who are alive have memories and emotional connections to that person. A funeral honors that legacy, allows the living to share their memories, to mourn the person's passing, and to celebrate the person's life.

      But even religions that focus on an afterlife tend not to use funerals for religious purposes. For example, I'm Roman Catholic. There's a particularly strong connection between the living and the dead in Catholicism. The living can help souls in Purgatory get to Heaven. And the souls in Heaven (the saints) can pray to God to intercede on behalf of the living. The funeral doesn't serve any of these purposes, though. A Catholic funeral serves the same purpose as an atheist funeral. The living help souls in Purgatory get to Heaven through prayer and the holy mass. The living use prayer to ask the saints to pray to God on our behalf.

      Basically, you did a particularly bad job of trolling. Your post is very offtopic. It also completely misunderstands the purpose of a funeral, whether for a religious person or an atheist. Funerals are for the living.

    3. Re: Hey atheists by Anonymous Coward · · Score: 0, Offtopic

      My body can be harvested or left for the crows. I don't care, i'm dead, but my family might.

    4. Re:Hey atheists by Anonymous Coward · · Score: 0

      My God can beat up your God

  8. Re:First Post! by softnewsit · · Score: 1

    The "incredible" iPhone was already hacked by the CCC just a few hours it was released.... so puff goes the theory of iPhone's invincibility

    --
    Go away!
  9. An iPhone can be unlocked with glue... by JackAxe · · Score: 2

    Both the iPhone 5c and iPhone 6: https://www.youtube.com/watch?...

    Here's another video showing how easy the iPhone can be unlocked by a spoof: https://www.youtube.com/watch?...

    So, why bother with this inkjet setup? it seems complicated compared to just using glue or what appears to be tape.

    1. Re:An iPhone can be unlocked with glue... by Bing+Tsher+E · · Score: 1

      So, why bother with this inkjet setup? it seems complicated compared to just using glue or what appears to be tape.

      This is just conjecture, but maybe that trick doesn't work on anything but an Iphone? Possibly this more extreme method is needed for other brands of smartphone?

  10. Re: agreed by Anonymous Coward · · Score: 0, Insightful

    Please learn how to read.

  11. What about the Huawei Torpor? by Anonymous Coward · · Score: 0

    I'm too sleepy to find ouzzzzzzzzzz

  12. Mythbusters already did it by Anonymous Coward · · Score: 0

    And then they died.

    Finally!

    Like having to watch dementia take a loved one, that Mythbusters show was for many years now.

  13. Is this supposed to be new? by WoOS · · Score: 1

    The German CCC (Chaos Computer Club) did this already 2004 and went on to "publish" the finger print[sorry, in German only] of the then German minister of the interior tele-photoed of a glas used during a press conference.

    So what is new now? Using a 3D printer instead of a laser printer?

    1. Re: Is this supposed to be new? by Anonymous Coward · · Score: 0

      It's like the patent system, tack on "using a 3D printer" to an established process and bam, new process!

    2. Re:Is this supposed to be new? by Anonymous Coward · · Score: 0

      They unlocked a Galaxy S6 in 2004? That's pretty impressive!

      The S6 was made with knowledge of attacks against fingerprint scanners - so it's reasonable to expect that they've made some attempt to prevent them.

  14. my fingers are too exposed by Anonymous Coward · · Score: 1

    I'll use my genital warts pattern for authentication from now on.

  15. Re: First Post! by Anonymous Coward · · Score: 0

    To the original posters comments, the iPhone 5S was compromised using an entirely different technique. This fact is mentioned in TFA. The question was whether the iPhone's sensor was susceptible to this new attack. That question was not answered in TFA and Apple haters took it as reason to attack rather than think about formulating an actual, rational, answer to the question posed.

  16. Re: agreed by nospam007 · · Score: 1

    "And? Mother's maiden name falls under one of those categories too, but that doesn't mean either is a good authentication factor."

    Not everybody has one of those. I'm from Luxembourg and we have the french system.

    "Since the 1789 Revolution, the law stipulates that "no one may use another name than that given on his birth certificate"

  17. Finally by Anonymous Coward · · Score: 0

    Finally, ther is something inkjet printers are useful for!

  18. I wonder by koan · · Score: 1

    How many of those fingerprints wind up in a government data base.

    --
    "If any question why we died, Tell them because our fathers lied."
  19. Re: First Post! by Anonymous Coward · · Score: 0

    Wrong, repeat wrong again. Fanboys should ask, if the sensor is different. Did Apple change to a different type, of fingerprint sensor? Different algorithms for the device? Or just left it alone?

  20. No problem by maestroX · · Score: 1

    The next release (of the phone) will fix this.

  21. Definitely don't identify. A PIN or physical key by raymorris · · Score: 1

    Today's consumer biometrics really are a lot like PIN numbers or physical keys made of brass. If a particular scanner has a one-in-million chance of a false match, that means that hundreds of people in the US will have the same type of fingerprint, within the ability of the system to classify them. That is, one scan of my finger is unlikely to "match" a scan of YOUR finger, but it's very likely to match the scan of SOMEONE'S finger. Much like some people will use the same PIN number on their debit card, but it's unlikely that you specifically use the same PIN that I use.

    They therefore do NOT identify one user out of millions. Physical keys, like you use on your front door, are similar- the #1 manufacturer, Kwikset, only makes about 20,000 different keys. A locksmith can pick a lock in seconds or minutes. Yet that's good enough for the vast majority of security needs.

      Like PIN numbers, current consumer biometrics are good in either of two roles:
    Weak authentication, like a signature or PIN, or physical key). For most things in my life, I'm not worried about the NSA. A four-digit number, Kwikset key, or cheap fingerprint scanner is sufficient to secure my kid's locker at school, or keep the kid out of the chemicals cabinet in the garage. It's fine for securing my fireworks box because someone could just BUY $500 worth of fireworks. My security just needs to encourage people to buy their own rather than taking mine.

    Multi-factor authentication. If you have my key fob in your pocket, AND pass fingerprint authentication, you can take my car. You can spend money from my bank account of you know my (strong) password AND pass fingerprint auth AND don't trigger the bank's fraud detection algorithms.

  22. No gummy bears? by Antique+Geekmeister · · Score: 1

    Fingerprint scanners have long been proven vulnerable to the most elementary of attacks. There is a stack of references to gelatin based fingerprint replication, including http://www.theregister.co.uk/2... And MythBusters did a very useful comparison of the most robust and expensive fingerprint scanners at https://www.youtube.com/watch?... .

  23. sandberdino? by Anonymous Coward · · Score: 0

    so those phones the FBI has could be opened this easily?

  24. fingerprints have been spoofed for decades by Petronius+Arbiter · · Score: 1

    Two New York State police from Troop C (Binghamton) were convicted and jailed for spoofing fingerprints (and possibly other physical evidence) about 20-30 years ago. IIRC, they used scotch tape to lift the print of the innocent person they wanted to frame and then deposited the print on the piece of evidence connected to the crime.

    So, even w/o using computers, fingerprints can be faked. Physical evidence is not as solid as prosecutors claim, but we already knew that from several other convictions for faking evidence. However NYS troopers are, as a group, ethical.

    But, fingerprint readers do look cool.

  25. Re: another name by hackwrench · · Score: 1

    For? Or are you in violation of the law Mr. " nospam007"?

  26. Using conductive ink... by denzacar · · Score: 1

    ...in an inkjet instead of a laser printer.

    Presumably, as it is not stated in the paper as an issue per se, this method should get around safeguards intended to prevent using printouts - by requiring the fingerprint to be conductive to electricity.
    Which would probably work with a wet printout as well.

    --
    Mit der Dummheit kämpfen Götter selbst vergebens
  27. Re: First Post! by Anonymous Coward · · Score: 0

    Those would be valid follow up questions. It has nothing to do with fanboy-ism. The first question is still germane as it answers whether there is a fundamental difference in the sensors. The new technique is faster to perform than the one used to compromise the iPhone's sensor.