Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows (theguardian.com)

Posted by msmash on from the closer-look dept.

schwit1 shares a report: Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper [PDF] presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand.

The researchers, led by NYU's Philip Bontrager, say that "the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis." As with much security research, demonstrating flaws in existing authentication systems is considered to be an important part of developing more secure replacements in the future. In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner.

64 comments

  1. MAGA by Anonymous Coward · · Score: 0

    MAGA BITCHES

    1. Re: MAGA by Anonymous Coward · · Score: 0

      007 may disagree.

    2. Re:MAGA by Anonymous Coward · · Score: 0

      Blue wave, MAGAtard.

      Fake Presidents can't imitate real ones.

      Here's to ripping your shitgibbon out of office. Cheers!

  2. Re:Global Warming by Anonymous Coward · · Score: 0

    manbearpig!

  3. Didn't mythbusters already do this? by Anonymous Coward · · Score: 0

    Maybe not scientifically rigorous, but didn't mythbusters already demonstrate this?

    1. Re:Didn't mythbusters already do this? by LostOne · · Score: 1

      They did demonstrate that it isn't particularly hard to fool simple fingerprint scanners. I mean, they used a simple photocopy of a fingerprint. Granted, those were fairly simple scanners, but it isn't too hard to imagine similar techniques working with more advanced scanners. I've also seen some presentations by physical penetration testers that were able to lift fingerprints and fool fingerprint locks, though they often simply bypassed the reader altogether.

      --

      If it works in theory, try something else in practice.
    2. Re:Didn't mythbusters already do this? by mobby_6kl · · Score: 1

      A silicone molding works on TouchID and I assume other capacitive scanners. It might also be possible to lift a print off a shiny surface with a bit more luck/skill/equipment too: https://youtu.be/2u4ZLGsw1zo?t...

    3. Re:Didn't mythbusters already do this? by sjames · · Score: 2

      Also interesting, the most expensive one tested was the easiest to fool.

    4. Re:Didn't mythbusters already do this? by sjames · · Score: 1

      The mythbusters demonstrated copying a fingerprint known to be accepted by the scanner. This is a skeleton key created fingerprint that has about a 20% chance of working even if you don't have a fingerprint to copy.

    5. Re:Didn't mythbusters already do this? by Anonymous Coward · · Score: 0

      On top of that, has there been any rigorous study on how unique fingerprints actually are. Seems there must be "collisions", or prints so similar that, for any currently-realizable identification system, are effectively identical.

      Combine the ease of faking real prints for scanners, and likely effective matches.. being able to create a fake print that works is not surprising at all.

  4. Re:Global Warming by Anonymous Coward · · Score: 0

    I hope you understand that your anecdotal evidence does not disprove that the planet is dying. Sad.

  5. Fingerprints are lousy ID by Anonymous Coward · · Score: 1

    Can't change them. Can't revoke them. You leave a copy of them around on everything you touch. Why do people still use these for identification?

    1. Re:Fingerprints are lousy ID by Actually,+I+do+RTFA · · Score: 1

      There's even a commercial on TV now about how great the fingerprint password system is on their laptop... that they show off by having a child use your fingerprint while you're asleep. See, you don't even have to get woken up or supervise your kids to authorize them for whatever they want.

      --
      Your ad here. Ask me how!
    2. Re:Fingerprints are lousy ID by jargonburn · · Score: 2

      No, they're just fine for identification...just not for authentication.

  6. Prior Art by Anonymous Coward · · Score: 2, Insightful

    James Bond
    Myth Busters...

    It's been done. Finger print scanners are NOT secure.

    Having said that, I too have developed a "don't give a fuck attitude" towards the insecurity. It's just too convenient to touch my PC or phone and have it unlock.

    I use it. I know it's wrong, but...

    1. Re:Prior Art by Anonymous Coward · · Score: 0

      It's not wrong for your use case. If you were guarding top secret shit, maybe then. But you aren't.

    2. Re:Prior Art by phantomfive · · Score: 2

      The only reason I even lock my phone is because I don't want to pocket-dial anyone (or press other random buttons in my pocket). I don't lock my wallet, either.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Prior Art by phantomfive · · Score: 1

      Myth Busters...

      Myth Busters made a copy of a real fingerprint. These guys generated an image of a fingerprint that was close enough to unlock the phone.....without knowing what the original fingerprint looked like.

      That's why they call it the "master key" fingerprint....because it can unlock the phone like a ghost key. They used the adversarial neural network to find weaknesses in the fingerprint identification algorithm. Basically, some features of fingerprints are more common than others.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Prior Art by mobby_6kl · · Score: 1

      Sometimes it pays off to RTFA or even just the summary, doesn't it.

      I haven't really considered fingerprints to be a very secure to begin with, due to the possibility of copying the prints or even just some goon forcefully pushing your thumb into the scanner. Still, it was "good enough" for most cases and to CYA from the corporate overlords who require the phone to be locked. This just makes it completely useless against any professional attacker and maybe even Joe Blow the phone thief, if the method can be reasonably easily replicated.

    5. Re:Prior Art by Anonymous Coward · · Score: 0

      James Bond Myth Busters...

      It's been done. Finger print scanners are NOT secure.

      Having said that, I too have developed a "don't give a fuck attitude" towards the insecurity. It's just too convenient to touch my PC or phone and have it unlock.

      I use it. I know it's wrong, but...

      Define 'secure', it's a relative term. These fingerprint scanners are probably not good enough to stand up to a determined effort by the CIA or NSA technical department to gain access. Those guys have the time and the resources to lift your print from the sensor, create a simulated finger with a latex print on it and use that to fool the fingerprint scanner. However, I don't rely upon these things to thwart the CIA or NSA, I'm happy if a fingerprint scanner is hard enough to crack to thwart the average phone thief. If that ever becomes an issue the iPhone at least allows for a long random alphanumeric password. It would be annoying as hell to use but I't would be pretty hard to brute force the password. Anybody trying to access the phone would probably be better of trying using a zero day vulnerability to hack and own it remotely.

    6. Re:Prior Art by dgatwood · · Score: 1

      Pretty much, yeah. The biggest flaw in the security of modern phones is that it is binary. You either have full access to the device or you don't.

      On my laptop, I can create encrypted volumes that provide restricted access to things like financial records, and use different passwords. The fingerprint reader can't provide access to those.

      I can even put entire applications inside those containers, if there were some valid reason to do so, and symlink the apps' sandbox container directories into the encrypted volume.

      When cell phones have similar levels of configurability —when I can lock down an app or specific files within an app and require additional security for those apps or files — I'll take cell phone security seriously. Until then, I pretty much assume that anything on a mobile device might as well be on a postcard stapled to the back of my shirt, and treat the device accordingly.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    7. Re:Prior Art by rtb61 · · Score: 1

      Consider the security difference between a passphrase and a fingerprint. You can use different passphrases for different sites but your fingerprint, give it away once to some fuckhead corporation and they have it for life and it can be sold to whomever wants to buy. So yeah, password has been compromised change it once at that location, so what the fuck do you do if you fingerprint has been compromised, for the rest of your fucking life, hmmm.

      --
      Chaos - everything, everywhere, everywhen
  7. Re:Global Warming by Anonymous Coward · · Score: 0

    Dear 45,
    I'm sorry to hear the 10 inches of Golden Showers in your driveway is not to your liking.

    Sincerely,
    Putinesca

  8. There are a few fingerprint generation algorithms by Anonymous Coward · · Score: 0

    Here are some specular holographs made from computer generated fingerprints: http://www.zintaglio.com/natur...

  9. I'm sure governments have known this for awhile by Glarimore · · Score: 1

    I'm sure some governments have known this for awhile. I wonder how many people have been framed? And how would you ever prove your innocence?

    I have similar worries in regard to the proliferation of 'deep fakes' and other methods of realistic video editing that is indistinguishable from original recordings.

    I imagine we will deal with these issues to the best of our ability as time goes on, but "Damn future, you scary!"

    1. Re:I'm sure governments have known this for awhile by Anonymous Coward · · Score: 0

      In a sane world, we stop accepting audio/video recordings as evidence, as one can edit them so well "god himself" can't tell the difference. Progress has only changed things to make it so easy a skiddie can do it.

    2. Re:I'm sure governments have known this for awhile by rgmoore · · Score: 1

      I wonder how many people have been framed? And how would you ever prove your innocence?

      I don't think this would be very helpful for framing anyone; the goal is completely different. The goal when framing somebody is to create a unique match, while this technique creates a fingerprint that matches something like 20% of the database. If you could manage to plant one of these fingerprints, it might well match the person you're trying to frame, but it would match many other people who you aren't trying to frame, too. That would actually create reasonable doubt rather than remove it.

      --

      There's no point in questioning authority if you aren't going to listen to the answers.

    3. Re:I'm sure governments have known this for awhile by Actually,+I+do+RTFA · · Score: 1

      Fingerprint analysis is normally limited to returning a "match"/"no match" on the suspect. So, if you didn't have an example of the fingerprint, it's a 20% chance of working.

      --
      Your ad here. Ask me how!
    4. Re:I'm sure governments have known this for awhile by rgmoore · · Score: 1

      Actually, fingerprint evidence is used in a number of ways. One way is to get a match vs no match on the suspect. Another way is to query a fingerprint database to find a list of possible suspects. The key is that the defendant is allowed to have their expert look at the evidence, so the person trying to frame them can't control and make sure it's only used for match/no match. If the defendant's expert uses it to query the database and finds it's a match to 20% of the fingerprints there, you have instant reasonable doubt.

      --

      There's no point in questioning authority if you aren't going to listen to the answers.

    5. Re:I'm sure governments have known this for awhile by Actually,+I+do+RTFA · · Score: 1

      That's true, if the person you're framing has resources. Otherwise, it works 20% of the time. And given that something like 1/4 of Americans cannot put together $400 in an emergency, you have a 8% chance of it working.

      --
      Your ad here. Ask me how!
  10. You Mean Authentication Factors That by Anonymous Coward · · Score: 0

    Consist of shit that you leak every single second of your life, aren't susceptible to forgery?

    Whoa this is heavy!

  11. Along similar lines... by nuckfuts · · Score: 1

    It may also be worth noting that today's cameras have enough resolution to reveal your fingerprints when you flash a peace sign in a photo, for example.

    1. Re:Along similar lines... by BlackOverflow · · Score: 0

      But not if you flash the bird!

  12. Ahead of the curve by Tablizer · · Score: 1

    Maybe the Orange Dude is right: everything is becoming fake, rigged, and/or bugged.

    He's not paranoid, he's a profi...prophet.

    --
    Table-ized A.I.
  13. This should sort of be obvious by Anonymous Coward · · Score: 0

    Whatever algorithm is used to turn an input fingerprint reading into data can easily be fed generated input data to create new fingerprints. Let's say you start from a copy of the raw input data of one persons finger. Just add a swirl or move a line and generate it into fingerprint data and tada, a new finger entered into your database.

    Sure, there are many ways this logic could fail but if you go about it in the right way it's completely easy. A single person could probably generate one real fingerprint and at least 10 "fake" ones just by messing with their finger in ingenious ways. Covering a tiny droplet of finger with melted gummy bear; moving the droplet around, etc. Doing it with a computer is just as straightforward.

  14. Research shows? by glenebob · · Score: 2, Insightful

    What the hell was wrong with "common sense shows"? It's a hell of a lot cheaper.

    1. Re:Research shows? by Anonymous Coward · · Score: 0

      If it's so "common sense" that you can create master key prints, why are fingerprints even used as a form of identification? A lot of fingerprints that get lifted contain not only smudges (because of how they're deposited in the first place) but are partial prints. That amounts to a lot of claims about the accuracy of fingerprints seeming like complete bullshit. Seriously, someone wearing a glove with some of these master key prints would be a complete mess. It's the same reason one has to wonder about eyewitness identification, where a lot of people look similar and police likely already have a list of suspects for which eyewitnesses does more to just pick them out of the list.

      Maybe the Joker wasn't a Super Villain who was at 20 places at once committing various crimes. Perhaps Batman just couldn't look further than what "blurry white guy on utter shit security cameras".

    2. Re:Research shows? by Anonymous Coward · · Score: 0

      Because so-called common sense tells you that the earth is flat, that whales are fish, and that no-one will ever be able to break your amazing security device because you can't think of a way to break it right now.

    3. Re:Research shows? by yarbo · · Score: 1

      A lot is wrong with it. How hard is it? What information do you need? Can anything change with storage or reading to fix it? What? Your common sense doesn't take you far when it's right, and when it's wrong, it's even worse. https://www.newscientist.com/a... - here's a whole list of examples of common sense leading researchers astray. In short, common sense is easy when you already know the answer.

  15. This needed research? by cshark · · Score: 1

    Why did this need to be researched? We've known about this as long as we've had the technology.

    --

    This signature has Super Cow Powers

  16. Next thing you know, FaceID will be hacked by WillAffleckUW · · Score: 1

    Oh, wait, it already is.

    Look, the main problem is one of tuning. Fingerprints are just 3D printed objects, and many scanners aren't that bright. In the old days we could just do a ridge pattern on plastic to throw them, now we have to emulate the ridges for the fancier detection devices. Still takes us less than 60 seconds, of course.

    --
    -- Tigger warning: This post may contain tiggers! --
  17. ZIP = "better programmer" (lol, not) by Anonymous Coward · · Score: 0

    You said it ZIP: Where's your work everyone can see/use? It's not. It's HOTAIRWARE/NOTWARE (lol) "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme...

    The BETTER PROGRAMMER w/ no programs, lol - @ least you can say your "code" has NO BUGS - of course, it also does ZERO (like you) since it does nothing @ all, lol!

    You hotair BLOWHARD talker, lol!

    You f'd up ZIP https://tech.slashdot.org/comm...

    Yet 100,000++ users of my ware & dozens of even REGISTERED /.ers like/use/praise MY work https://news.slashdot.org/comm... vs. your HOTAIR talk punk!

    * LMAO!

    (Let's see how YOU take it when I publicly SHIT ALL OVER YOU by letting FACTS of YOUR FUCKUPS vs. ME https://science.slashdot.org/c... do the job for me)

    APK

    P.S.=> You STUPID & LAZY all talk chimpanzee - KEEP IMPERSONATING me https://science.slashdot.org/c... - I'll expose your BLOWHARD INCOMPETENCE publicly, lol... apk

  18. Deep vein scan by markdavis · · Score: 1

    >"Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows"

    Which is one of MANY reasons why fingerprints should not be used for "real" security- it isn't really secure.

    Further, using fingerprints (or worse, DNA) and allowing a third-party to have access to that data is unacceptable. Not only because the government and big business should have no need to indiscriminately track what people are doing all the time but because they should not have fingerprint registration data (which will be horribly abused) .

    Stand up for your rights (and the rights of your children and future generations). Once you give this data to the government or big business, it will NEVER be erased or restricted, regardless of claims, policies, or laws- it will go into huge databases and shared between agencies and used however they want for as long as they want. Even worse, with every crime investigation, you will be searched without probable cause. It is a genie that can't be put back into the bottle.

    Fingerprints are something you leave all over the place all the time. They are easy to lift, copy, and forge. Easy to fake, easy to use to frame people. Time after time they have been shown to be poor for security and yet very effective at tracking people.

    DNA is even worse. Like fingerprints, you leave it all over the place all the time. Samples can be lifted and planted and analyzed. DNA is more than a means to ID, it contains very sensitive information about you.

    Iris scan is better than DNS or fingerprints- there is no leaving your iris image all over, and it doesn't say that much about you. But your eyes (iris, not retinal) could be scanned without your permission by any high resolution camera pointed at your face, even your own phone.

    There is only one safer and practical biometric I know of right now- that is deep vein palm scan. That registration data cannot be readily abused. It can't be latently collected like DNA, fingerprints, and face recognition can. You have
    to know you are registering/enrolling when it happens. You don't leave evidence of it all over the place. When you go to use it, you know you are using it every time. And on top of all that, it is accurate, fast, reliable, unchanging, live-sensing, and cheap. If you must participate in a biometric, this is the one you should insist on using.

    Example/info: http://www.m2sys.com/palm-vein... https://www.imprivata.com/why-...

    Now, it might not be suitable for phones, but for anything else that requires real security (and privacy as a major bonus), I think deep vein palm scan is a great idea.

    1. Re:Deep vein scan by Anonymous Coward · · Score: 0

      "There is only one safer and practical biometric I know of right now- that is deep vein palm scan."

      No harder to fake than a finger print. Just a bit harder to get the raw data... but then there is Windows for allowing that...

      There is NO biometric method that cannot be faked.

    2. Re:Deep vein scan by markdavis · · Score: 1

      >No harder to fake than a finger print. Just a bit harder to get the raw data...

      That is incorrect on both counts. It is much, much, much, much harder to get the raw data or fake for a variety of reasons. Not the least of which is that people don't normally have their palms in contact with things as much as fingers, and don't have them facing outwards towards possible collection devices and can't just leave deep vein patterns lying around for people to collect. And the thermal imaging being done needs to be done close-up because of the only slight difference of temperatures needed to gather the data of the veins under the entire epidermis and perhaps other tissue. Faking this, even if you have the data, is also orders of magnitude more difficult. It isn't just an image, it is all thermal. So you would have to present a "fake" thermal image that is not only correct as a pattern, but correct as a difference between surrounding tissue temperatures.

      >There is NO biometric method that cannot be faked.

      That is, of course, true. Which is why I said "safer and practical", I didn't say "safe" or "perfectly secure." It does appear to be the "best" option, by far, compared to what is currently used and what is practical to possibly use.... and I have seen it in action and used it myself; I was very impressed.

  19. Interesting by Anonymous Coward · · Score: 0

    "were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand. "

    That sounds a lot shittier than I expected. Doesn't that mean there are millions of people that could unlock your phone?!?

    The NSA doesn't need better tools then, they just need to hire another million or so 'consultants' :O

  20. No News for Nerds in that... by Anonymous Coward · · Score: 0

    ...maybe all those IDIOTS who still think biometrics is THE ultimate solution for access control will listen now... ...but again they are MORONS so they probably won't.

  21. Zach Patterson / ZIP = "better programmer" - not by Anonymous Coward · · Score: 0

    You said it ZIP: Where's your work everyone can see/use? It's not. It's HOTAIRWARE/NOTWARE (lol) "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme...

    The BETTER PROGRAMMER w/ no programs, lol - @ least you can say your "code" has NO BUGS - of course, it also does ZERO (like you) since it does nothing @ all, lol!

    You hotair BLOWHARD talker, lol!

    You f'd up ZIP https://tech.slashdot.org/comm...

    Yet 100,000++ users of my ware & dozens of even REGISTERED /.ers like/use/praise MY work https://news.slashdot.org/comm... vs. your HOTAIR talk punk!

    * LMAO!

    (Let's see how YOU take it when I publicly SHIT ALL OVER YOU by letting FACTS of YOUR FUCKUPS vs. ME https://science.slashdot.org/c... do the job for me)

    APK

    P.S.=> You STUPID & LAZY all talk chimpanzee - KEEP IMPERSONATING me https://science.slashdot.org/c... - I'll expose your BLOWHARD INCOMPETENCE publicly, lol... apk

  22. Zach Patterson / ZIP = "better programmer" - not by Anonymous Coward · · Score: 0

    You said it ZIP: Where's your work everyone can see/use? It's not. It's HOTAIRWARE/NOTWARE (lol) "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme...

    The BETTER PROGRAMMER w/ no programs, lol - @ least you can say your "code" has NO BUGS - of course, it also does ZERO (like you) since it does nothing @ all, lol!

    You hotair BLOWHARD talker, lol!

    You f'd up ZIP https://tech.slashdot.org/comm...

    Yet 100,000++ users of my ware & dozens of even REGISTERED /.ers like/use/praise MY work https://news.slashdot.org/comm... vs. your HOTAIR talk punk!

    * LMAO!

    (Let's see how YOU take it when I publicly SHIT ALL OVER YOU by letting FACTS of YOUR FUCKUPS vs. ME https://science.slashdot.org/c... do the job for me)

    APK

    P.S.=> You STUPID & LAZY all talk chimpanzee - KEEP IMPERSONATING me https://science.slashdot.org/c... - I'll expose your BLOWHARD INCOMPETENCE publicly, lol... apk

  23. Zach Patterson / ZIP "Greatest Hits" (lol, not) by Anonymous Coward · · Score: 0

    See how STUPID "ZIP" (Zach Patterson) the CHIMP is (tried to take credit for what I solved before him) https://tech.slashdot.org/comm... (he needs to LEARN TO READ)!

    I even SHOW ways to do it YOURSELF https://tech.slashdot.org/comm... (he couldn't).

    Delphi/FreePascal/ObjectPascal HAS no issue w/ null-term'd string bufferoverflows - C does, C++ can UNLESS you do what I said 1st loser.

    Tell us about CODE SIGNING (which has been STOLEN & ABUSED) https://www.helpnetsecurity.co... MY METHOD CAN'T BE (upmodded +2 INTERESTING in CODING FOR DEFCON no less) https://it.slashdot.org/commen...

    "I'm a much better programmer than APK" - by Anonymous Coward ZIP on Monday October 08, 2018 @11:27PM (#57449082) FROM https://yro.slashdot.org/comme...

    BIG TALK - Yet ZIP has nothing to show in programs. I can https://news.slashdot.org/comm... from registered /.ers liking/using/praising my work (& 100k users worldwide too). He can't.

    LIAR ZIP says he has no account "I don't have an account, so I don't have mod points" https://news.slashdot.org/comm...

    Yet LIAR ZIP says he downmods my posts (IMPOSSIBLE MINUS AN ACCOUNT on /.): "I down-modded a few of your post on other threads" - by Anonymous Coward "ZIP" on Thursday October 11, 2018 @11:31AM (#57461058) FROM https://yro.slashdot.org/comme...

    APK

    P.S.=> KEEP IMPERSONATING ME CHIMP https://science.slashdot.org/c... - this comes out every time EXPOSING your BLOWHARD incompetence... apk

  24. 3D ultrasonic fingerprint by Anonymous Coward · · Score: 0

    https://tech.slashdot.org/story/15/07/03/2055232/3-d-ultrasonic-fingerprint-scanning-could-strengthen-smartphone-security

    Maybe this tech would solve the problem.

  25. This is not a password this is an ID by uulbri · · Score: 1

    The fundamental issue with biometrics is that people tend to think they represent a kind of security token (an idea actually pushed by greedy companies whose only goal is to sell you more of their useless stuff under the umbrella of "innovation").
    It is clearly not ! This is simply an easier/convenient way to identify yourself, the equivalent of your good old login name. Full stop. any attempt to use biometrics beyond this point is just utterly stupid.

  26. Let's Try to Keep Up With the Terms by Anonymous Coward · · Score: 0

    Today I have about 10 inches of Anthropogenic Climate Change in my driveway and it's still coming down.

    Don't worry. I fixed it for you.

    But, otherwise, yeah, we don't normally get this much this early in the season. Seems like it's throwing everything in disarray, doesn't it?

  27. Re:Global Warming by Anonymous Coward · · Score: 0

    Next up on the Republican ticket? Prolly do a better job that the piece of shit we got now.