Researchers Develop Master Fingerprints That Can Break Into Smartphones (digitaltrends.com)

← Back to Stories (view on slashdot.org)

Researchers Develop Master Fingerprints That Can Break Into Smartphones (digitaltrends.com)

Posted by BeauHD on Thursday April 13, 2017 @11:20AM from the where-there's-a-will-there's-a-way dept.

Researchers at New York University and Michigan State University have recently found that the fingerprint sensor on your phone is not as safe as you think. "The team has developed a set of fake fingerprints that are digital composites of common features found in many people's fingerprints," reports Digital Trends. "Through computer simulations, they were able to achieve matches 65 percent of the time, though they estimate the scheme would be less successful in real life, on an actual phone." From the report: Nasir Memon, a computer science and engineering professor at New York University, explained the value of the study to The New York Times. Modern smartphones, tablets, and other computing devices that utilize biometric authentication typically only take a snapshots of sections of a user's finger, to compose a model of one fingerprint. But the chances of faking your way into someone else's phone are much higher if there are multiple fingerprints recorded on that device. "It's as if you have 30 passwords and the attacker only has to match one," Memon said. The professor, who was one of three authors on the study, theorized that if it were possible to create a glove with five different composite fingerprints, the attacker would likely be successful with about half of their attempts. For the record, Apple reported to the Times that the chance of a false match through the iPhone's TouchID system is 1 in 50,000 with only one fingerprint recorded.

29 comments

Min score:

Reason:

Sort:

Phones aren't secure anyway by Anonymous Coward · 2017-04-13 11:23 · Score: 0

Let's be honest, Android is incredibly vulnerable. A really secure fingerprint lock on an Android phone is like putting ten different locks on the back door of your house while leaving the front door open.
1. Re:Phones aren't secure anyway by peragrin · 2017-04-13 11:46 · Score: 2
  
  Not quite. a fingerprint on andriod is like closing all the doors and windows with regular locks. someone can smash a window or pick a lock, but it does take some work.
  it is no vault but then again the average person leave their wallet just lying around their home too.
  
  --
  i thought once I was found, but it was only a dream.
"though they estimate the scheme would be less su" by Anonymous Coward · 2017-04-13 11:25 · Score: 0

"ccessful in real life, on an actual phone."
They... didn't try it on an actual device? Eh?
Whaaaaat? by 93+Escort+Wagon · 2017-04-13 11:27 · Score: 3, Insightful

"they were able to achieve matches 65 percent of the time, though they estimate the scheme would be less successful in real life, on an actual phone."
So... much ado about nothing?

--
#DeleteChrome
1. Re:Whaaaaat? by Anonymous Coward · 2017-04-13 11:33 · Score: 0
  
  65 percent in a simulation, that's about a triple orgasm for a mathematician...
2. Re:Whaaaaat? by Anonymous Coward · 2017-04-13 14:21 · Score: 1
  
  Would you be happy with a car that someone could start from a 'master key' 65% of the time? What about 33%, half that? Would you be fine with 10%?
  The fact that a small set of fake fingerprints can unlock a third or more of all phones in the real world is a disaster for the pretense of using fingerprints as a security measure. It's not much ado about nothing - it's much ado about everything you are trying to protect.
3. Re:Whaaaaat? by Opportunist · 2017-04-13 20:55 · Score: 1
  
  Yeah, but she's faking it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re: "though they estimate the scheme would be less by Entrope · 2017-04-13 11:31 · Score: 2

Maybe they did, and got awful results. Researchers play funny games with what they choose to publish or not publish.
Re: "though they estimate the scheme would be les by Anonymous Coward · 2017-04-13 11:43 · Score: 0

Doctors say that Nordberg has a 50/50 chance of living, though there's only a 10 percent chance of that.
Fingerprints are not secure. by gurps_npc · 2017-04-13 11:45 · Score: 5, Interesting

1) You leave perfect copies of them all around you.
2) Anyone that has possession of your body can instantly take them.
3) The police maintain huge records of many people's fingerprints and do NOT keep them secure.
4) You can not change it if it becomes compromised.
5) Sensors that detect them are not very accurate and make little if any attempt to prevent false copies (they don't check to see if they are body temperature or have the flexibility of human skin.

--
excitingthingstodo.blogspot.com
1. Re: Fingerprints are not secure. by Anonymous Coward · 2017-04-13 12:05 · Score: 0
  
  What happens to your fingerprints if you are a transgender person taking hormones?
2. Re:Fingerprints are not secure. by Anonymous Coward · 2017-04-13 12:23 · Score: 0
  
  4) You can not change it if it becomes compromised.
  Your Admin can reset your password. Jack Bauer can reset your fingerprints...
3. Re:Fingerprints are not secure. by mrchaotica · 2017-04-13 14:24 · Score: 4, Insightful
  
  In other words, fingerprints can be replacements for usernames, not passwords! Identification, not authentication.
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
4. Re: Fingerprints are not secure. by Opportunist · 2017-04-13 20:56 · Score: 2
  
  Nothing. Did you expect them to grow a beard or something?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:Fingerprints are not secure. by Opportunist · 2017-04-13 20:57 · Score: 1
  
  Finally an insightful message and me lacking modpoints.
  You have NO idea how hard it is to get this piece of information into management skulls.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Fingerprints are not secure. by Anonymous Coward · 2017-04-14 01:58 · Score: 0
  
  Let me just swipe my me fingerprint to log in, oh I forgot, I need to do some admin stuff, no worries now I'll swipe my root fingerprint.
7. Re:Fingerprints are not secure. by Anonymous Coward · 2017-04-14 03:48 · Score: 0
  
  I wouldn't want to be regularly fingerprinted by a computer or phone. This is the kind of security that is against its users, not for them.
8. Re:Fingerprints are not secure. by Actually,+I+do+RTFA · 2017-04-14 08:16 · Score: 1
  
  Except I have far more than 10 (even 20 if you count toes) distinct usernames across various services that are not linkable to each other.
  
  --
  Your ad here. Ask me how!
9. Re:Fingerprints are not secure. by mrchaotica · 2017-04-14 09:49 · Score: 1
  
  Hence my use of the word "can," not the word "should."
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
So, not that long ago by Anonymous Coward · 2017-04-13 12:23 · Score: 0

To a guest I suggest password-protecting her computer logon. She thought that was a good idea, because she often leaves the laptop at home while she's away.
I said, Pick something only you would know. And DON'T TELL ME. She thought about it for a while, and then she entered what she thought only she would know. It was a number. A SINGLE NUMBER! One digit. It took me a while to get her to understand why that was not a good password.
1. Re:So, not that long ago by Bright+Apollo · 2017-04-14 00:56 · Score: 1
  
  Actually, that's pretty good.
  Who's going to enter a single digit for a password? Of course, *now* it'll be tried, but for average snoopers, that's pretty good.
Re: "though they estimate the scheme would be less by Anonymous Coward · 2017-04-13 13:02 · Score: 0

A simulation doesn't suffer from the effects of creating fake fingerprints, but offers somewhat idealized ridges and gaps
Revoke credential by manu0601 · 2017-04-13 13:20 · Score: 4, Insightful

Biometric authentication is a bad idea most of the time,because once someone managed to impersonate you, you cannot revoke authentication credentials: in other words, you cannot change your biometric fingerprint.
1. Re:Revoke credential by Anonymous Coward · 2017-04-13 18:19 · Score: 0
  
  This is why I carry 19 spare digits with me at all times, just in case one gets compromised.
65 percent... by roc97007 · 2017-04-13 13:26 · Score: 3, Funny

Just so happens that my company iphone finger print sensor appears to be accurate about 65% of the time with *my* finger. If that's the success they're getting, I'd say they're doing pretty good.

--
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
1. Re: 65 percent... by Anonymous Coward · 2017-04-13 18:04 · Score: 0
  
  Depends a lot on the configuration: if the system is using fingerprints to differentiate, say, 1000 employees from potentially millions of outsiders - and to identify yuh among that 1000, then it will be configured very differently than if you enter your identity and the system only needs to decide if the fingerprint matches the one on file for that specific identity
  That is, are the admins optimizing against false-positives, or false-negatives on the matching algorithms.
Good by Opportunist · 2017-04-13 20:59 · Score: 1

Maybe then people will stop using part of their body as an authentication tool.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Good by Anonymous Coward · 2017-04-13 22:07 · Score: 0
  
  Maybe then people will stop using part of their body as an authentication tool.
  Any tool that allows humans to become even more lazy will never be abandoned.