Blog

Watch the science progress…

 

This is what I was saying yesterday at a cybersecurity conference about biometry (https://zero-day.ch/). Especially that using a small sensor (10x10mm) with a biometric payment card, or an even smaller one in a smartphone, was something risky, because a small partial print has much more chance to match fortuitously with an unknown user, as there are only a limited number of distinctive features in it.

However, "more chance" was expected to remain rather safe if the device security setting was high enough.

Until the day after, when news went out that New York and Michigan State University researchers have managed to build a kind of «universal biometric unlocker », the DeepMasterPrint, using (but not only) this same weakness.

http://www.planetbiometrics.com/article-details/i/9720/desc/masterprints-used-to-hack-fingerprint-systems/

If we put aside anti-spoofing issues, fingerprint identification is normally a very interesting modality because two fingers are never the same, even for twins, and the feature points remain quite constant in time. However this property only holds for the full image, or at least a significant part of it. If a good fingerprint generally has 50-100 minutiaes, and you use a very small sensor that will only "catch" 10-20 of them, you obviously are looking for trouble. And in addition, partial scans can match with any parts of the fingerprint, because the algorithm doesnt know where to look, thus even more increasing the chances of getting a false match.

3 partial prints : 3 chances to match with the same reference

partial FP

 

DeepMasterPrint

The DeepMasterPrint puts this risk to a previously unknown level, by generating a single « super-image » that will have a significant probability of matching any user's finger!

DeepMasterPrint

Blurry, but efficient.

What is especially interesting is that it can be computed from scratch, using existing fingerprint databases, and the generated image can be directly transferred to a silicon fake finger. Tests showed that this artifact is then able to match with a remarquable efficiency of up to 20 % at standard configuration (accepted reject rate = 0.1%), in just one single try!

That means that you now have ONE chance out of FIVE to unlock any smartphone.

 

This new form of attack is based on a previous paper in April 2017. It has been improved to be more efficient, especially in order to work with a single try, instead of five (the usual limit), while getting the same performance (noting that trying five times with the new algorithm will not do better).

 

The end of fingerprint biometry in smartphones ?

 

Probably not, for a number of reasons.

 

First, this is a research paper and the "magic" image is not provided (in significant quality), complex work needs to be done before starting a practical attack.

Second, it is a digital-domain attack, we submit images to algorithms and see what happens. In the real life, you still have to build the fake finger for applying on the sensor, and that will make some difference as well.

However the main point is that this remarkable result is targeted on a specific algorithm and tests has shown that applied to other implementations, the success rate drops significantly (3-4 % in the paper). As algorithms are more and more efficient and complex, there is little chance that the same result will be achieved in commercial smartphones using proprietary software. All of that drives us back to a much less impressive level risks of only a few percents, which is still significantly higher than pure luck.

Except if science advances again?

 

Software technology...

 

This paper shows us that essential work for hardening recognition algorithms should be started now, with a different approach that brute performance, before a wide attack on smartphone security arises.
 
It seems that until recently, biometric authentication security was mainly handled by improving the recognition efficiency, in order to have algorithms able to function at a really low false acceptance rate, based on real users' fingers.This "feed-the-algorithm-with-as-many-user-data-as-possible" approach is rather different than searching actively for implementation vulnerabilities, using computer-generated images and neural networks.
However, this approach will be difficult to do as today's algorithms are all different, not even working on the same base data, and will require a specific approach for all of them...

 

And hardware technology



Also, the next move in smartphone sensors could be in-display bigger sensors, or even ultrasonic, generating 3D images that will probably be much more resistant to this kind of attacks. When this technology (already present on some models but not yet on Apple or Samsung) will be mature enough, fake finger building will become a real challenge...

 
Nevertheless, as older smartphones will still be existing for a while, will we maybe see new ready-to-use implementations (aka "universal fake fingers") sold on the black market, allowing would-be hackers to test their skills in the wild?
 

Fake finger Masterprint One size fits all.

 

Interesting times.