
Smartphones can be fooled by fake, digitally composed fingerprints - walterbell
https://www.nytimes.com/2017/04/10/technology/fingerprint-security-smartphones-apple-google-samsung.html
======
djrogers
I shouldn't be surprised, but the reporting on this makes it sound way
different than the actual research. Specifically, none of the research appears
to have been performed on, or tested against _ACTUAL SMARTPHONE_
implementations - for example:

"Experiments on a capacitive fingerprint dataset, similar to the one used by
Apple TouchID, showed that it is possible to break 6.88% of users’ account in
5 attempts if the FMR setting of the matching algorithm (Verifinger 6.1 SDK)
was set to 0.01% and each subject was enrolled with one finger and 12 partial
impressions per finger."

It seems that using commercial fingerprint software and captive systems
'similar to the one used by Apple TouchID' is very different from actually
testing your theories against, you know, Apple TouchID.

The way you believe TouchID works may be significantly better or worse than it
actually does, so don't you need to test iPhones if you're going to be giving
scary quotes to reporters about them being insecure?

~~~
fauigerzigerk
_> I shouldn't be surprised, but the reporting on this makes it sound way
different than the actual research. Specifically, none of the research appears
to have been performed on, or tested against ACTUAL SMARTPHONE
implementations_

That is exactly what the article says. Specifically:

 _The researchers did not test their approach with real phones, and other
security experts said the match rate would be significantly lower in real-life
conditions._

and

 _“To really know what the impact would be on a cellphone, you’d have to try
it on the cellphone,” she said._

and

 _Dr. Ross acknowledged the limitations of the work._

Half of the article is about the limitations of the approach the paper used,
so I fail to understand your criticism of the reporting.

~~~
djrogers
The article currently linked here is not the same one originally linked. It
was changed after I made my post.

That said, the headline still explicitly calls out smartphones.

~~~
pbhjpbhj
>article currently linked here is not the same one originally linked //

Grr, hate it when they do that, it's clearly too hard to add a second link
"previously the linked article was: ..."?

~~~
yorwba
Like here?
[https://news.ycombinator.com/item?id=14318899](https://news.ycombinator.com/item?id=14318899)

------
mmastrac
This is the IEEE paper referenced in the article:

[http://ieeexplore.ieee.org/document/7893784/?reload=true](http://ieeexplore.ieee.org/document/7893784/?reload=true)

PDF version:

[http://www.cse.msu.edu/~rossarun/pubs/RoyMemonRossMasterPrin...](http://www.cse.msu.edu/~rossarun/pubs/RoyMemonRossMasterPrint_TIFS2017.pdf)

Abstract:

This paper investigates the security of partial fingerprint-based
authentication systems, especially when mul- tiple fingerprints of a user are
enrolled. A number of con- sumer electronic devices, such as smartphones, are
beginning to incorporate fingerprint sensors for user authentication. The
sensors embedded in these devices are generally small and the resulting images
are, therefore, limited in size. To compensate for the limited size, these
devices often acquire multiple partial impressions of a single finger during
enrollment to ensure that at least one of them will successfully match

~~~
mediocrejoker
I skimmed the paper but I don't see which iPhone they were able to unlock with
this method. Do you know if the resolution of the fingerprint scanner differs
between iPhone models?

~~~
djrogers
> I don't see which iPhone they were able to unlock with this method

They either didn't try, or were unable to and didn't document the results.

~~~
eridius
According to the article itself, they never actually tried unlocking a real
phone.

~~~
Bud
That strains credulity.

------
umurkontaci
I have the feeling that the researched tried to unlock real phones and failed.

It sounds weird when you say you have made a research about security of
fingerprint scanners on phones without actually trying the attacks on those
phones.

~~~
cantrevealname
> I have the feeling that the researched tried to unlock real phones and
> failed.

That sounds plausible.

Think about how much more impressive their results would be if they
demonstrated the attack on real phones. But they have a paper to publish, so
why detract from the paper by mentioning that tests on real phones didn't pan
out.

------
crazygringo
> _" Dr. Memon said their findings indicated that if you could somehow create
> a magic glove with a MasterPrint on each finger, you could get into 40 to 50
> percent of iPhones within the five tries allowed before the phone demands
> the numeric password, known as a personal identification number."_

I don't understand how this is possible at all. I've always assumed that each
fingerprint is essentially turned into a hash, and that there must be
something like at least 10,000+ possible hashes. I mean, I used to belong to a
gym that used a fingerprint reader for entry, and it correctly identified me
(flashing my name) from the other 1,000+ members each time.

So as long as the hash space is reasonably large, it doesn't matter _what_
these 5 magic imprints are, they still each convert to just 1 hash, no
different from any other fingerprints.

Am I missing some critical aspect here to explain how "master prints" are even
plausible -- how they could possibly act as "wildcards" for large swathes of
hashes?

~~~
majke
That's not how it works. The process of reading your retina / fingerprint is
error prone. You can't take hash out of error-prone data blob!

My understanding is that matching the pre-saved template against a fresh scan
is a process similar to measuring Levenshtein distance. There is some
threshold, and sample with smaller error are accepted. This does imply that
the iphone has somewhere stored your _unencrypted_, _unhashed_ template of
your fingerprint.

But this is not my area of expertise. Perhaps a subject matter expert can
comment.

~~~
out_of_protocol
Indeed it is, inside a sensor (that's why so much trouble replacing one on
iphone), gladly raw data never leaves it (same goes for Android as well,
except really really old versions, like 4-)

~~~
majke
"data never leaves it" reference please?

~~~
delinka
[https://www.apple.com/business/docs/iOS_Security_Guide.pdf](https://www.apple.com/business/docs/iOS_Security_Guide.pdf)

Find the section titled "Secure Enclave." When the SE needs to store data on
the filesystem, it's encrypted with a key that never leaves the SE.
Effectively, assuming the encryption is implemented correctly, data 'owned' by
the SE is never available to any other part of the system.

------
crystaln
There are all sorts of reasons fingerprints are not a highly secure
authentication mechanism. Just as there are all sorts of reasons passwords and
other techniques are imperfect. Password entry can be observed. Chosen
passwords are frequently insecure, particularly on smartphones where brevity
is so important.

Fingerprints are an excellent mechanism for almost all threat vectors for your
average consumer smartphone. Your friends, enemies, and criminals would have
to go through enormous, expensive, and clearly unethical efforts to access
your phone. Given the convenience and security of this, I'm entirely happy
with the security of my thumbprint-encrypted iPhone.

It's important for people who are dissidents or engaging in criminal activity
to be aware that their brain is more secure than their fingerprint, although
that seems entirely obvious to anyone capable of maintaining a high security
lifestyle.

~~~
consp
Considering there is no 'active' part (e.g. no known secret) it cannot be used
for authorization, only for identification. The 'kids unlock phone with
sleeping parent and buy stuff' techniques are a clear proof of this. Fine for
identification, do not use for authorization (e.g. using secrets like when you
buy stuff).

~~~
crystaln
I'm still fine with this threat vector. The idea is to prevent casual
intrusion, not premeditated intrusion. If I put my phone on the dinner table,
no one is going to send text messages.

------
jamiesonbecker
Nearly all biometrics, except for physically invasive ones, are _easily
stolen_.

All are forgeable.

Biometrics can never be revoked once compromised.

They're like the social security number of logins. Completely useless.

Using biometrics for security or identity violates practically every rule for
secure credentials. They exchange convenience for extremely minimal security.

Perhaps the oft-cited username, _not_ a password?

No, not even useful for that: for a mobile phone, a username isn't even needed
in most cases because there's usually only one user on the device. It lends no
additional security -- merely an extra step.

For a phone, a fingerprint is probably less secure than a swipe pattern.

It's security theater. Why do we keep equating biometrics with security?

~~~
WatchDog
For most people biometrics offer a better security posture than some of the
alternatives. The average user is at much greater risk of someone watching
them enter a PIN/Password than having them capture and forge their biometrics.

------
dkrich
I'm not a security expert by any means, but I have to ask- if it's acceptable
and most people use a four digit pin to unlock a phone, is the idea of
somebody going to the trouble of lifting and replicating fingerprints that
worrisome?

------
enig_matic7
"The researchers did not test their approach with real phones, and other
security experts said the match rate would be significantly lower in real-life
conditions. Still, the findings raise troubling questions about the
effectiveness of fingerprint security on smartphones."

Wat.

------
draugadrotten
Modern fingerprint scanners use various methods to detect if it's a living
finger or if it's a static image.

This "research" could not beat any phone using a modern fingerprint scanner
with liveness detection.

Using fingerprints may not be a perfect solution but it beats 4-digit pincodes
and passw0rds. Next level in a few years, we'll have retina scanners in our
phones, cars and IoT including peppes pizza ads in Oslo. Then 1984 will look
like a bedtime story for kids.

------
artursapek
"Your fingerprint is your username, not your password"

~~~
dragonwriter
A fingerprint is not suitable as a username (as it can be physically damaged
unrecoverably) or as a password (because it cannot be freely changed if
potentially compromised.)

------
summer69
Biometrics are in general a bad way to implement security. Finger prints and
iris scans can easily be stolen many times by just browsing a person's
Facebook profile photos. We have already started depending on these to allow
access to bank accounts.

I live in India, and there are already companies with phones that have iris
and fingerprint scanners to link with each individual's Aadhar ID and grant
access to all government and financial services including bank accounts, and
even online shopping [1]. Unlike regular credit card transactions, these are
supposed to be authenticated, so you cannot ask for a chargeback. Data for 130
million Indian people including their Aadhaar numbers and bank details was
recently leaked accidentally. [2] There is a big disaster here just waiting to
happen.

[1]: [http://www.ndtv.com/india-news/shop-online-soon-with-fool-
pr...](http://www.ndtv.com/india-news/shop-online-soon-with-fool-proof-iris-
scan-aadhaar-phone-1692398)

[2]: [http://indiatoday.intoday.in/technology/story/aadhaar-
data-o...](http://indiatoday.intoday.in/technology/story/aadhaar-data-
of-130-millions-bank-account-details-leaked-from-govt-websites-
report/1/943632.html)

------
hawski
I use fingerprint screen unlock, because it's the most convenient screen
unlock mechanism. The phone will not be unlocked by a mistake and it is very
fast when you really want it.

I like especially the placement of the sensor on the back cover. When the
phone is in front of my face it is already unlocked if I want it.

------
gwbas1c
Honestly, I've never cared about the fingerprint reader for security. I just
see it as a better way to prevent my phone from turning on in my pocket and
butt-dialing someone.

I never put a password on my phone before the fingerprint reader. The apps
that I care about protecting have password functionality built-in.

~~~
sgarman
What about 2-factor auth or sms two factor auth or access to your gmail
client?

~~~
Doctor_Fegg
You know, not everyone uses gmail.

------
Animats
That is really clever. The Ur-fingerprint, developed using simple machine
learning. Well, that's the end of using "minutiae" for recognition.
Recognition has to use something that requires the features have the proper
positional relationship to each other, such as a whole fingerprint.

------
libeclipse
> But I’d rather see Apple make me enter the PIN if it’s idle for one hour.

Does this ever really happen though? It's rare for my phone to sit there for
more than 15 minutes without me messing with it.

~~~
fosk
You are missing the point. It's not for you to re-enter the PIN every once in
a while, it's to prevent a potential attacker with physical access to your
phone to unlock it, exactly when the phone itself it's not phisically with you
(and so you have nothing to mess with).

Anyways it would only mitigate the risk without fixing the root problem.

------
skocznymroczny
My friend claims that her boyfriend managed to unlock her iPhone using his
finger, although I can't 100% verify that claim.

------
ars
The phone is covered with fingerprints from the owner anyway.

If you have the phone, you already have the "password". The fingerprint scan
is just to make it a little bit annoying for attacker, so they'll factory
reset instead of bothering to crack it.

It's not intended for any kind of real security.

Like many others here I never used to lock my phone at all until the
fingerprint scan, and I don't consider the scan as a form of security, but
rather as a quick way to turn on the phone.

~~~
gpawl
How do you know that the finger data the scanner uses is present in oil
prints?

If this true, someone would have created a working demonstration in the past 5
years.

~~~
kalleboo
[https://www.heise.de/video/artikel/iPhone-5s-Touch-ID-
hack-i...](https://www.heise.de/video/artikel/iPhone-5s-Touch-ID-hack-in-
detail-1966044.html)

------
jlebrech
Is there a way a phone could know which finger was used by using the camera
too?

------
dustinkirkland
Fingerprints are usernames, not passwords.

[http://blog.dustinkirkland.com/2013/10/fingerprints-are-
user...](http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-
not.html)

~~~
snarf21
Exactly this. I've made the same comment other places on here. Fingerprint for
username, 8 character alphanumeric for password and mandatory hardware 2FA
fobs/keys.

------
nneonneo
There's no reason to cite a Google-translated version of this article when a
suitable, well-explained English article exists in the New York Times:
[https://mobile.nytimes.com/2017/04/10/technology/fingerprint...](https://mobile.nytimes.com/2017/04/10/technology/fingerprint-
security-smartphones-apple-google-samsung.html)

As the article notes, you really need more than one imprint in order to get
into a phone - the authors suggest that five distinct imprints could get into
about 40-50% of phones, which fits within the 5 try limit imposed by many
systems.

~~~
dang
Right. Url changed from
[https://translate.google.com/translate?sl=auto&tl=en&u=https...](https://translate.google.com/translate?sl=auto&tl=en&u=https%3A//www.mobilegeeks.de/news/fingerabdrucksensor-
sicherheit-generalschluessel/).

Submitters: Please don't post Google translate links.

------
2bitencryption
Totally not relevant, but holy cow Google Translate is getting good.

I swear I've read articles in plain English that were less comprehensible than
this translated on, by a mile.

~~~
devrandomguy
It's pretty good at European languages, but still terrible at Arabic and
Japanese. The system still has a very shallow understanding of the content.
One of my primarily Arabic-speaking colleagues was actually offended by Google
Translate butchering their language so badly; their culture places a
relatively high value on poetry, calligraphy, etc.

As an exercise, try translating your search queries into Arabic before
searching. Then, let Google translate the results for you. It is hilarious.

~~~
krrrh
I wonder how much Arabic translation suffers from a lack of available data to
feed the ML. [1]

> Nor are foreign books much translated: in the 1,000 years since the reign of
> the Caliph Mamoun, say the authors, the Arabs have translated as many books
> as Spain translates in one year.

[1]
[http://www.economist.com/node/1213392](http://www.economist.com/node/1213392)

~~~
devrandomguy
I am somewhat surprised that our ML is not yet strong enough to make good use
of a relatively small, but precisely translated work, such as the Qur'an. The
success of human anthropologists in deciphering the Rosetta stone to learn the
ancient Egyptian languages must have had as much to do with understanding the
context, the culture and tools of the time, as actually cracking a code.

------
ouid
A fingerprint isn't secure in any robust sense of the word. you leave your
fingerprints on everything you touch.

