This is what I was saying yesterday at a cybersecurity conference about biometry (https://zero-day.ch/). Especially that using a small sensor (10x10mm) with a biometric payment card, or an even smaller one in a smartphone, was something risky, because a small partial print has much more chance to match fortuitously with an unknown user, as there are only a limited number of distinctive features in it.
However, "more chance" was expected to remain rather safe if the device security setting was high enough.
Until the day after, when news went out that New York and Michigan State University researchers have managed to build a kind of «universal biometric unlocker », the DeepMasterPrint, using (but not only) this same weakness.
If we put aside anti-spoofing issues, fingerprint identification is normally a very interesting modality because two fingers are never the same, even for twins, and the feature points remain quite constant in time. However this property only holds for the full image, or at least a significant part of it. If a good fingerprint generally has 50-100 minutiaes, and you use a very small sensor that will only "catch" 10-20 of them, you obviously are looking for trouble. And in addition, partial scans can match with any parts of the fingerprint, because the algorithm doesnt know where to look, thus even more increasing the chances of getting a false match.
|3 partial prints : 3 chances to match with the same reference||
The DeepMasterPrint puts this risk to a previously unknown level, by generating a single « super-image » that will have a significant probability of matching any user's finger!
|Blurry, but efficient.
What is especially interesting is that it can be computed from scratch, using existing fingerprint databases, and the generated image can be directly transferred to a silicon fake finger. Tests showed that this artifact is then able to match with a remarquable efficiency of up to 20 % at standard configuration (accepted reject rate = 0.1%), in just one single try!
That means that you now have ONE chance out of FIVE to unlock any smartphone.
This new form of attack is based on a previous paper in April 2017. It has been improved to be more efficient, especially in order to work with a single try, instead of five (the usual limit), while getting the same performance (noting that trying five times with the new algorithm will not do better).
Probably not, for a number of reasons.
First, this is a research paper and the "magic" image is not provided (in significant quality), complex work needs to be done before starting a practical attack.
Second, it is a digital-domain attack, we submit images to algorithms and see what happens. In the real life, you still have to build the fake finger for applying on the sensor, and that will make some difference as well.
However the main point is that this remarkable result is targeted on a specific algorithm and tests has shown that applied to other implementations, the success rate drops significantly (3-4 % in the paper). As algorithms are more and more efficient and complex, there is little chance that the same result will be achieved in commercial smartphones using proprietary software. All of that drives us back to a much less impressive level risks of only a few percents, which is still significantly higher than pure luck.
Except if science advances again?
This paper shows us that essential work for hardening recognition algorithms should be started now, with a different approach that brute performance, before a wide attack on smartphone security arises.
|One size fits all.|
Rue des Bains 35, 1205 Geneva, Switzerland
Tel: +41 / 76 805 1873 / firstname.lastname@example.org