Fake Fingerprint Stickers Let You Access a Protected Phone While Wearing Gloves

A new Kickstarter campaign aims to sell you fingerprint stickers that, when applied to a pair of gloves, allow you to unlock a mobile device that's protected with a fingerprint scanner. The sticker is powered by Nanotips and is "made with an extremely adhesive conductive material that can be applied to any surface for touch capability." Gizmodo reports: You can of course still access a fingerprint-secured smartphone using regular touchscreen-friendly gloves by simply punching in your passcode on-screen, but why should we have to give up the convenience of a feature like Touch ID for months on end just because it's cold outside? We shouldn't, and these Taps stickers will allow you to use your mobile device's touchscreen and fingerprint reader, for unlocking your phone or making a purchase, even while your actual fingers (and fingerprints) are being kept warm and toasty inside a glove. After applying a textured stick to the tip of your glove, you just have to register it as an approved fingerprint using your smartphone's security settings. You might assume this would mean that anyone with a Taps sticker on their gloves could access anyone else's protected phone. But according to its creators, using nanoparticle technology every single Taps sticker has an individual and unique artificial print ensuring that only your gloves can access your device. That being said, there is still the risk of someone stealing your gloves, which is easier than stealing your fingerprints, so you'll have to weigh the security risks introduced versus the added convenience these offer.

Re: pick one: convenience, privacy

[justcauseisjustthat]

Every time I get pulled over or whatever, I force reboot my phone to require passcode.

Knows nose

[cwatts]

In cold weather I register the end of my nose as a fingerprint. It works! And the feds will never figure it out, they can try all my fingers and still not get in.

If you want to keep finger functionality, use your imagination- the back of a knuckle or the side of a thumb are just as unique as a fingerprint, and work just as well.

Unlocking ones phone with one's nose will occasionally be met with wisecracks- trying to operate a phone with a nose will probably get you beaten up or arrested. So be careful :)

cw

Re:Knows nose

[ledow]

It just makes me question the uniqueness being measured (we know fingerprints are "unique" enough for convictions, but if your nose passes muster to a fingerprint reader as a valid fingerprint, surely it's not measuring that much uniqueness in the first place?). Noses just don't have unique, large, raised, patterning like fingerprints do. You can SEE and FEEL fingerprints, that's how large the features are. You can't see much difference between one squished nose and another.

All this tells me is that fingerprint readers on smartphones are naff toys. And I don't for a second buy the "it depends on the glove used" tripe either.

I looked into a fingerprint reader that schools were using for access. It turns out to be a scanner. With some Linux tools and jiggery-pokery you can pull out a black-and-white scanned TIFF from the sensor, which just feeds it into software which does the "uniqueness" bit (finding edges and comparing corner points, mostly).

So I printed out the TIFF, swiped that, and it accepted it. I'm sure they've come on leaps and bounds since, but they are still susecptible to the same old attacks. You don't need to find "a finger that's correct", just a sufficiently convincing model of that finger. That can be anything from a flat piece of paper, to a PCB-etched one, to some gummi bears moulded from that. But still, outside of humongously expensive things, nothing really that good at detecting fakes.

The heartbeat sensor in my phone uses the colour of the skin to measure heartrate "accurately enough". It's literally just a colour sensor, like a scanner, with sufficient red illumination to make your pulse "visible". That could easily form another part of a smartphone fingerprint sensor. And would STILL be just as susceptible to, say, a smartphone display showing the fingerprint and red-pulse that it expects.

It's the analogue hole all over again. If you can copy the data stream sufficiently, you don't need the original any more.

And that just makes fingerprints worthless.