Watch the science progress…

 

This is what I was saying yesterday at a cybersecurity conference about biometry (https://zero-day.ch/). Especially that using a small sensor (10x10mm) with a biometric payment card, or an even smaller one in a smartphone, was something risky, because a small partial print has much more chance to match fortuitously with an unknown user, as there are only a limited number of distinctive features in it.

However, "more chance" was expected to remain rather safe if the device security setting was high enough.

Until the day after, when news went out that New York and Michigan State University researchers have managed to build a kind of «universal biometric unlocker », the DeepMasterPrint, using (but not only) this same weakness.

http://www.planetbiometrics.com/article-details/i/9720/desc/masterprints-used-to-hack-fingerprint-systems/

If we put aside anti-spoofing issues, fingerprint identification is normally a very interesting modality because two fingers are never the same, even for twins, and the feature points remain quite constant in time. However this property only holds for the full image, or at least a significant part of it. If a good fingerprint generally has 50-100 minutiaes, and you use a very small sensor that will only "catch" 10-20 of them, you obviously are looking for trouble. And in addition, partial scans can match with any parts of the fingerprint, because the algorithm doesnt know where to look, thus even more increasing the chances of getting a false match.

3 partial prints : 3 chances to match with the same reference

partial FP

 

DeepMasterPrint

The DeepMasterPrint puts this risk to a previously unknown level, by generating a single « super-image » that will have a significant probability of matching any user's finger!

DeepMasterPrint

Blurry, but efficient.

What is especially interesting is that it can be computed from scratch, using existing fingerprint databases, and the generated image can be directly transferred to a silicon fake finger. Tests showed that this artifact is then able to match with a remarquable efficiency of up to 20 % at standard configuration (accepted reject rate = 0.1%), in just one single try!

That means that you now have ONE chance out of FIVE to unlock any smartphone.

 

This new form of attack is based on a previous paper in April 2017. It has been improved to be more efficient, especially in order to work with a single try, instead of five (the usual limit), while getting the same performance (noting that trying five times with the new algorithm will not do better).

 

The end of fingerprint biometry in smartphones ?

 

Probably not, for a number of reasons.

 

First, this is a research paper and the "magic" image is not provided (in significant quality), complex work needs to be done before starting a practical attack.

Second, it is a digital-domain attack, we submit images to algorithms and see what happens. In the real life, you still have to build the fake finger for applying on the sensor, and that will make some difference as well.

However the main point is that this remarkable result is targeted on a specific algorithm and tests has shown that applied to other implementations, the success rate drops significantly (3-4 % in the paper). As algorithms are more and more efficient and complex, there is little chance that the same result will be achieved in commercial smartphones using proprietary software. All of that drives us back to a much less impressive level risks of only a few percents, which is still significantly higher than pure luck.

Except if science advances again?

 

Software technology...

 

This paper shows us that essential work for hardening recognition algorithms should be started now, with a different approach that brute performance, before a wide attack on smartphone security arises.
 
It seems that until recently, biometric authentication security was mainly handled by improving the recognition efficiency, in order to have algorithms able to function at a really low false acceptance rate, based on real users' fingers.This "feed-the-algorithm-with-as-many-user-data-as-possible" approach is rather different than searching actively for implementation vulnerabilities, using computer-generated images and neural networks.
However, this approach will be difficult to do as today's algorithms are all different, not even working on the same base data, and will require a specific approach for all of them...

 

And hardware technology



Also, the next move in smartphone sensors could be in-display bigger sensors, or even ultrasonic, generating 3D images that will probably be much more resistant to this kind of attacks. When this technology (already present on some models but not yet on Apple or Samsung) will be mature enough, fake finger building will become a real challenge...

 
Nevertheless, as older smartphones will still be existing for a while, will we maybe see new ready-to-use implementations (aka "universal fake fingers") sold on the black market, allowing would-be hackers to test their skills in the wild?
 

Fake finger Masterprint One size fits all.

 

Interesting times.

 

More details

Use case scenarios

Windows Logon
Simply install the BK Logon product, works out of the box with facial recognition (2D or 3D), fingerprint..., with or without PIN, and with smart card support if necessary.
Application authentification
Using the BK IdP SDK, recognition of the signing person by facial identification and validation by PIN code. The accounts to be used are not necessarily from a Windows® domain.
Web authentication
Authentication using the local webcam, directly from the browser, without any installation on the local workstation.
Signature digitale
Integration with the BK IdP SDK, validation by Challenge/Response exchange with the Identypass authentication server (allows not to use a static password). It is also possible to add a USB token for an additional security factor and a certified audit trail.
Adaptative authentication
Fast biometric recognition for accessing the User privilege level, then complementary authentication (PIN code or token) to authorize Administrator access privilege.
Support for Citrix® sessions
Authentication integrated to the framework, compatible with the Receiver or NetScaler clients (StoreFront module to install on the server)