There's interesting research on using a set of "master" digital fingerprints to fool biometric readers. The work is theoretical at the moment, but they might be able to open about two-thirds of iPhones with these master prints.
Definitely something to keep watching.
Research paper (behind a paywall).
EDITED TO ADD (6/13): The research paper is online.
Posted on May 24, 2017 at 6:44 AM • 15 Comments
Michael P • May 24, 2017 7:15 AM
Isn't this more a case of "we might be able to fool two thirds of phones if our recognition algorithm matches the phone's, we can defeat any mechanism the phone uses to distinguish real fingers from fake ones, and there are enough fingerprints registered on each phone"? As I understand it, the authors don't claim to use the iPhone's real sensors or algorithms.
LPA-11K • May 24, 2017 8:08 AM
It didn't take much effort to bypass Samsung's iris scanner on the Galaxy S8.
https://motherboard.vice.com/en_us/article/hackers-unlock-samsung-galaxy-s8-with-fake-iris
Mitakeet • May 24, 2017 8:50 AM
Mythbusters did a nice show on the weaknesses of physical security and used gummy bears to fake a fingerprint taken from a co-host. Worked like a charm. Indeed, one of the devices was opened with a Xerox of a fingerprint!
albert • May 24, 2017 10:25 AM
Mythbusters link: https://www.youtube.com/watch?v=7sphAJFj9qA
Credit card companies prevented Discovery Channels Mythbusters from doing an episode on RFID chips.
https://www.youtube.com/watch?v=EeBERh2cMp0
. .. . .. --- ....
Jim K • May 24, 2017 6:11 PM
Albert,
Thanks for he Mythbuster's links.
I think that was what I wanted to do when I grew up.
bender • May 24, 2017 6:29 PM
You don't need a master print - a 3 year old will do.
I witnessed a friend's 3 yr old son unlock 2 iPhones (belonging to different owners) by mashing the fingerprint reader with his tiny hands for about 30 seconds each.
Patriot COMSEC • May 24, 2017 8:08 PM
It is like Spy vs Spy in Mad magazine. One spy is in a white hat, the other is in a black hat, but they are otherwise identical. They fight it out and play tricks on each other while we watch.
High tech often turns out to be something we cannot trust. The technology we can trust is often simple: a one-time pad, a mercury barometer, etc.
It is an uncomfortable fact: information high tech is leading us into a world of mistrust and constant tricks--with no end in sight. This fact does not bolster the civil liberties of a democracy, especially a small one. It favors the controlling interests of large, centralized, and hierarchical states and corporations.
Master Print • May 24, 2017 11:54 PM
Here is the publicly available research paper http://www.cse.msu.edu/~rossarun/pubs/RoyMemonRossMasterPrint_TIFS2017.pdf
Herman • May 25, 2017 3:48 AM
I've had my iPhone unlock and send a text msg while in my pants pocket. So it is rather unsurprising that there are more rigorous atracks possible also.
Clive Robinson • May 25, 2017 4:39 AM
The paper is an interesting paper but a little maths heavy in the middle. That said if you just read the first page and a bit and the conclusion you will get a sufficient overview to decide if you want to dive into the maths ;-)
If you do dive in, and can think a little hinky you can see how some of it relates to "the human problems" with the XKCD "Horse battery..." password system. As well as to most other "sampling systems" which all current biometric sensors are.
Thus whilst the work is original, it's not unexpected / surprising. Which often is an indicator of an "on target torpedo" about to blow a security technology out of the water, or at least hole it below the water line so it sinks beyond hope of recovery.
This reminds me of the paper from the other week about defeating basically all image-recognition algorithms by putting a slight texture over your image.
ab praeceptis • May 25, 2017 4:54 AM
Ooooooooooooooooooh, how disappointing. And it looked always so cool in old science fiction movies.
Next month: retina readers fooled.
In 10 years (or am I too optimistic here?): How the snakeoi ... err, security industry fooled us with ever new "bullet proof high tech security" theater and poor technology.
How about "use pass phrases as complex and with as many chars as you feel your security is worth to you!" (and if it's worth a lot to you then also have a look at Thoths product(s)).
Clive Robinson • May 25, 2017 6:49 AM
@ Alex,
... about defeating basically all image-recognition algorithms by putting a slight texture over your image
You might want to have a look back to "Digital Watermarking" that was the "golden hope" of the DRM vultures back at the turn of the century. It was much lauded untill Ross J. Anderson over at the UK's Cambridge Computer Lab's showed that a slight amount of two dimensional non linear stretching/compression and a little twisting, nearly all of which is imoerceptable to the human eye killed most watermarking systems.
It was kind of the death knell of Digital Watermarking which rapidly deflated and has all but disappeared since.
albert • May 25, 2017 12:30 PM
@Patriot COMSEC,
"...a one-time pad, a mercury barometer..."
Don't forget the pendulum clock, used by astronomers for timing celestial events, calibrated by star sightings and -very- accurate.
. .. . .. --- ....
Subscribe to comments on this entry
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.
Leave a comment