The fingerprint sensor started out as one of the features exclusive to premium smartphones, but today, this piece of technology has found its way onto mid-range devices as well.
It’s impossible to overlook the convenience that comes with having a phone that can scan your fingerprint. For instance, a touch of a finger unlocks the phone, which means there’s no need for passwords that are, more often than not, easily guessable. Moreover, services like Apple Pay enable users to buy consumer items in seconds, using their fingerprints. And, if that’s not convenient enough, banking apps now integrate the sensors to allow for the payment of bills or the transfer of thousands of dollars. You, therefore, wouldn’t be far off from the truth if you lauded the smartphone fingerprint sensor as among the innovations that have changed the world.
That said, the reports that have recently been hitting the airwaves seem to undermine the fingerprint scanner’s apparent glory. According to new findings from researchers at New York University and Michigan State University, smartphones can be easily fooled by fake, digitally composed fingerprints, called ‘MasterPrints.’ These MasterPrints are supposedly capable of unlocking any phone 65 percent of the time.
The exploitable limitation
Because no two fingerprints are the same, you’d be forgiven if you thought the sensor on your smartphone was hacker-proof.
To make them small and fast, smartphone manufacturers design their sensors to employ a partial scanning method, where the phone compares only some, and not all, sections of a fingerprint with the image it has stored, and if one of these sections match, the phone unlocks.
For the legitimate phone owner, this approach makes unlocking the phone and processing purchases pleasantly quick. However, as an NYU professor puts it, “It’s like having 30 passwords and the attacker only has to crack one.” This limitation is what makes the fingerprint sensor vulnerable to MasterPrint intrusion.
How a MasterPrint works
MasterPrints are digital mosaics made by combining the common elements of all human fingerprints. However unique fingerprints are, there are three basic patterns they follow: the loop, whorl, and arch.
A MasterPrint incorporates features from the three patterns to come up with a general representation of a human fingerprint. Sure, the results are nowhere near accurate, but since the MasterPrint only needs to match part of the actual print, chances are high that it’ll successfully unlock the smartphone.
Not cause for alarm, but still a concern
The researchers used computer simulations rather than real phones to test their approach, and security experts say the match rate would be significantly lower in a real-life situation.
The actual risk is, in fact, difficult to quantify and will arguably vary from one phone to the next. Apple, for instance, claims that the iPhone fingerprint system undergoes comprehensive testing against various attacks and, as a result, the chance of a false match is 1 in 50,000 attempts.
Fingerprint sensor technology is also advancing into a more secure territory. Smartphone makers are studying anti-spoofing techniques to distinguish between a real and an artificial finger, such as looking for perspiration or going deeper into the skin. A new sensor from Qualcomm is said to incorporate ultrasound to detect real skin.
Nonetheless, the findings that partial fingerprints can be digitally duplicated cannot be taken lightly. Manufacturers could easily increase security by adding larger sensors or scanning more finger surface, but the average phone company would rather avoid the design and functionality compromises that could come with revamping the system.
Thankfully, newer biometric options such as the Samsung Galaxy S8’s iris scanner are harder to fool. If other smartphone brands embrace this system, the fingerprint sensor will have found a better, more secure replacement.