Your phone's fingerprint sensor is more vulnerable than you think
Biometric technology has been a game-changer for smartphones. With authentication using physiological characteristics, like fingerprints, we can keep our devices safer than we ever could with behavioral alternatives, like pin codes, passwords and patterns, which are often predictable or easy to hack.
But a study from researchers at New York University and Michigan State University has found a vulnerability in biometric systems: They can be fooled by similar fingerprints.
Identical fingerprints are rare, if not nonexistent. But sensors on smartphones are too small to process full prints. Instead, handsets scan and save several partial prints of a finger. When a user tries to authenticate a print, smartphones require just one partial print match to succeed. In this process lies the security loophole.
The researchers hypothesized that within the population, there could be characteristics of fingerprints that are more commonly found than others. Identifying these commonalities can help hackers create a "MasterPrint" to gain access into devices.
Nasir Memon, study co-author and computer science professor at NYU's Tandon School of Engineering, says the MasterPrint would be the equivalent of a hacker using the password "1234" in a pin-based system. "About 4% of the time, the password 1234 will be correct, which is a relatively high probability when you're just guessing," said Memon in a statement.
Memon and the study's other authors — NYU postdoctoral fellow Aditi Roy and Michigan State computer science professor Arun Ross — analyzed 8,200 partial fingerprints to find an average 92 potential MasterPrints for every 800 partial prints.
They defined a MasterPrint as one that matched at least 4% of other prints in a randomly sampled group. When they expanded their query to full prints, the team found one MasterPrint for every 800 full prints. "Not surprisingly, there's a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification," said Memon.
An algorithm was able to take partial prints and create a synthetic partial MasterPrint — a fake digital fingerprint — that has higher odds of being able to bypass a biometric security system. The artificial MasterPrints could match up to real prints up to 65% of the time in computer simulations. The researchers admit, however, that in real life, this measure would be lower. Memon says the study's findings suggest one could access 40 to 50% of iPhones within five tries using a MasterPrint.
Ensuring that these devices aren't at such a high risk of vulnerability is a job for smartphone manufacturers — they can create larger sensors or more sophisticated ones that scan full prints. But consumers can also opt for more secure biometric identifiers like iris scanning technology, which is offered in limited handsets like the newly released Samsung Galaxy S8.
Facial recognition, on the other hand, may sound futuristic, but it's actually believed to be less secure than fingerprint scanning.
While there's no reason to frantically shy away from using your smartphone's fingerprint sensor, the broader takeaway from this study is the potential security risk with this form of biometric technology.
"It's almost certainly not as worrisome as presented, but it's almost certainly pretty darn bad," Andy Adler, a professor at Carleton University in Canada who studies biometric security systems, told the New York Times. "If all I want to do is take your phone and use your Apple Pay to buy stuff, if I can get into 1 in 10 phones, that's not bad odds."