Watch the science progress…

 

This is what I was saying yesterday at a cybersecurity conference about biometry (https://zero-day.ch/). Especially that using a small sensor (10x10mm) with a biometric payment card, or an even smaller one in a smartphone, was something risky, because a small partial print has much more chance to match fortuitously with an unknown user, as there are only a limited number of distinctive features in it.

However, "more chance" was expected to remain rather safe if the device security setting was high enough.

Until the day after, when news went out that New York and Michigan State University researchers have managed to build a kind of «universal biometric unlocker », the DeepMasterPrint, using (but not only) this same weakness.

http://www.planetbiometrics.com/article-details/i/9720/desc/masterprints-used-to-hack-fingerprint-systems/

If we put aside anti-spoofing issues, fingerprint identification is normally a very interesting modality because two fingers are never the same, even for twins, and the feature points remain quite constant in time. However this property only holds for the full image, or at least a significant part of it. If a good fingerprint generally has 50-100 minutiaes, and you use a very small sensor that will only "catch" 10-20 of them, you obviously are looking for trouble. And in addition, partial scans can match with any parts of the fingerprint, because the algorithm doesnt know where to look, thus even more increasing the chances of getting a false match.

3 partial prints : 3 chances to match with the same reference

partial FP

 

DeepMasterPrint

The DeepMasterPrint puts this risk to a previously unknown level, by generating a single « super-image » that will have a significant probability of matching any user's finger!

DeepMasterPrint

Blurry, but efficient.

What is especially interesting is that it can be computed from scratch, using existing fingerprint databases, and the generated image can be directly transferred to a silicon fake finger. Tests showed that this artifact is then able to match with a remarquable efficiency of up to 20 % at standard configuration (accepted reject rate = 0.1%), in just one single try!

That means that you now have ONE chance out of FIVE to unlock any smartphone.

 

This new form of attack is based on a previous paper in April 2017. It has been improved to be more efficient, especially in order to work with a single try, instead of five (the usual limit), while getting the same performance (noting that trying five times with the new algorithm will not do better).

 

The end of fingerprint biometry in smartphones ?

 

Probably not, for a number of reasons.

 

First, this is a research paper and the "magic" image is not provided (in significant quality), complex work needs to be done before starting a practical attack.

Second, it is a digital-domain attack, we submit images to algorithms and see what happens. In the real life, you still have to build the fake finger for applying on the sensor, and that will make some difference as well.

However the main point is that this remarkable result is targeted on a specific algorithm and tests has shown that applied to other implementations, the success rate drops significantly (3-4 % in the paper). As algorithms are more and more efficient and complex, there is little chance that the same result will be achieved in commercial smartphones using proprietary software. All of that drives us back to a much less impressive level risks of only a few percents, which is still significantly higher than pure luck.

Except if science advances again?

 

Software technology...

 

This paper shows us that essential work for hardening recognition algorithms should be started now, with a different approach that brute performance, before a wide attack on smartphone security arises.
 
It seems that until recently, biometric authentication security was mainly handled by improving the recognition efficiency, in order to have algorithms able to function at a really low false acceptance rate, based on real users' fingers.This "feed-the-algorithm-with-as-many-user-data-as-possible" approach is rather different than searching actively for implementation vulnerabilities, using computer-generated images and neural networks.
However, this approach will be difficult to do as today's algorithms are all different, not even working on the same base data, and will require a specific approach for all of them...

 

And hardware technology



Also, the next move in smartphone sensors could be in-display bigger sensors, or even ultrasonic, generating 3D images that will probably be much more resistant to this kind of attacks. When this technology (already present on some models but not yet on Apple or Samsung) will be mature enough, fake finger building will become a real challenge...

 
Nevertheless, as older smartphones will still be existing for a while, will we maybe see new ready-to-use implementations (aka "universal fake fingers") sold on the black market, allowing would-be hackers to test their skills in the wild?
 

Fake finger Masterprint One size fits all.

 

Interesting times.

 

Plus de détails

Scénarios d'utilisation

Windows Logon
Simplement installer le produit BK Logon, fonctionne directement avec reconnaissance faciale 2D ou 3D, fingerprint..., avec ou sans PIN, et support de la carte à puce si nécessaire.
Authentification applicative
Utilisation du SDK BK IdP, reconnaissance du signataire par facial, validation par code PIN. Les comptes utilisés ne sont pas forcément ceux du domaine Windows®.
Authentification web
Utilisation de la webcam directement depuis le browser, sans aucune installation sur le poste client.
Signature digitale
Intégration avec les SDK BK IdP, validation par Challenge/Response avec le serveur d'authentification Identypass (permet de ne pas utiliser un mot de passe statique). Possibilité d'ajouter un token USB pour un facteur de sécurité supplémentaire et un audit trail infalsifiable.
Authentification adapative
Reconnaissance biométrique simple et rapide pour accéder au privilège de niveau User, puis authentification complémentaire à la demande (code PIN ou token) pour passer au niveau de privilège Administrateur
Support des sessions Citrix®
Authentification intégrée au framework, compatible avec le Receiver ou NetScaler (module StoreFront à installer sur le serveur)

L’expertise technique Identypass

Depuis 2007 de nombreux fournisseurs de technologie ont été étudiés et évalués, afin de valider leur forces ou faiblesses éventuelles. En effet, de nombreux produits sont adaptés à un usage particulier et ne conviennent pas forcément à un usage d’authentification forte.

Par design, nous sommes indépendants vis à vis des vendeurs du marché, tous sont évalués selon les mêmes critères. Une fois retenu, un fournisseur est intégré dans notre produit et nous gérons tous les aspects de licence (coûts et installation).

Notre solution d’authentification est modulaire et utilise des technologies ouvertes, afin de rester évolutive et sécurisée. Si nécessaire, nous avons la possibilité d’utiliser un token ou une carte à puce comme support de stockage des données biométriques, ce qui permet un meilleur respect de la vie privée.

Nous pouvons également vous conseiller sur d’autres types de biométrie, au fur et à mesure de leur disponibilité.