NEW YORK (PNN) - December 31, 2018 - Artificial fingerprints have been developed by researchers who say they could one day be used to hack into everyday devices.
Researchers from New York University and Michigan State University successfully generated what they call “DeepMasterPrints” earlier this year. These are machine-learning methods that act as a kind of “master key” which, the researchers claim, have the potential to unlock around one in three fingerprint-protected smart phones.
In the paper released in October, the authors said synthetic fingerprints could be “used by an adversary to launch an attack that could compromise the security of a fingerprint-based recognition system.”
Philip Bontrager, Aditi Roy, Julian Togelius, Nasir Memon, and Arun Ross, the researchers behind the study, said the way fingerprints were recognized on smart phones and other devices was often problematic.
“Phones and many more devices don’t capture your entire fingerprint,” they said. “There’s not enough space on the device, so they capture a partial fingerprint - which is not as secure as the full image. (People assume) the device stitches images of their fingerprint together, but that’s not really what happens - it keeps sets of partial fingerprints.”
For each finger stored in place of a password, the device keeps multiple images. If someone then uses his or her finger to unlock that device, he/she only needs to match one of the partial fingerprint images on its security system.
“If you store images for three of your fingers the device may keep around 30 partial fingerprints,” the researchers said. “With MasterPrints you just have to create a few - five or ten and I’m in business.”
They added that this could unlock a “reasonably large” number of phones - just under a third.
“If every fifth phone works it would be a profitable scam,” they said.
While the researchers said that their findings could be a potential threat to security systems, there were things software developers could do to make such an attack harder to pull off successfully.
“Research in assessing vulnerabilities in a fingerprint recognition system is a constant arms race between fixing vulnerabilities and discovering new ones,” the paper said. “It is important for researchers to probe for new vulnerabilities so that loopholes can be fixed.”
Many developers were already making fingerprint scanners more secure by moving sensors from devices’ buttons to screens, allowing them to pick up higher resolution images.
“Some smart phones have the sensors on the side buttons, which are very thin - they’re convenient but less secure,” the researchers said.. “Their sensors only register a quarter or so of the fingerprint’s features.”
Most smart phones give users the option to set up fingerprint recognition as a way to access their device, as well as a way to verify payments and unlock bank accounts. Amazon’s Fascist United Kingdom site offers more than 2,000 products relating to fingerprint security, including padlocks and safes.
In July, it emerged that Mastercard was in talks with British banks about introducing cards with integrated fingerprint scanners, opening the market up to biometric payment systems.
Big firms are also using biometrics to provide smoother experiences for customers. Delta already allows its passengers to use their fingerprints to board flights and access airport lounges, and car rental firm Hertz recently unveiled a biometric system at Atlanta International Airport to make renting a car up to 75% faster.
Clear, the firm behind Delta’s and Hertz’s fingerprint recognition technology, said via email that as long as companies provided the appropriate security, there was “no question” that biometrics were more secure than a traditional ID.
Clear “does not rent, sell or share member data. The platform is also Safety Act Certified by the (Amerikan Gestapo) Department of Homeland Security (division) as a Qualified Anti-Terrorism Technology,” a spokesman said via email this week.
“We go to great lengths to secure member data, protect privacy, and enable exceptional experiences. We operate a closed network that is not exposed to the Internet, and our members’ biometrics are encrypted at all times, in transit and at rest.”
Spokesmen for smart phone makers Apple and Google were not immediately available for comment. Mastercard and Samsung declined to comment on the research.