I shouldn't be surprised, but the reporting on this makes it sound way different than the actual research. Specifically,
none of the research appears to have been performed on, or tested against ACTUAL SMARTPHONE implementations - for example:
"Experiments on a capacitive fingerprint dataset, similar to the one used by Apple TouchID, showed that it is possible to break 6.88% of users’ account in 5 attempts if the FMR setting of the matching algorithm (Verifinger 6.1 SDK) was set to 0.01% and each subject was enrolled with one finger and 12 partial impressions per finger."
It seems that using commercial fingerprint software and captive systems 'similar to the one used by Apple TouchID' is very different from actually testing your theories against, you know, Apple TouchID.
The way you believe TouchID works may be significantly better or worse than it actually does, so don't you need to test iPhones if you're going to be giving scary quotes to reporters about them being insecure?
>It seems that using commercial fingerprint software and captive systems 'similar to the one used by Apple TouchID' is very different from actually testing your theories against, you know, Apple TouchID.
In theory, there's no difference between theory in practice; In practice, there is. ;]
OTOH, Here is a supposed example of an attacker circumventing TouchID iPhone-access controls:
"The video shows in detail how CCC member "Starbug" managed to fool the Touch ID sensor of Apple's new iPhone 5s – using only a scanner, tracing paper, a pcb and wood glue." [1]
In "real life"—unless there was some absolute urgency to the problem—you wouldn't try to reconstruct a smudged partial print; you'd just use social engineering/espionage tactics to get a good print.
(Remember that iOS locks and/or wipes devices after 10 failed attempts. You want to go to however much effort is required to be perfect the first time.)
I can think of a number of situations one could create where a person would have no incredulity about actually inking their fingers and carefully applying fingerprints to a piece of paper. Committed adversaries aren't scared of crimes like "impersonating a police officer", remember.
I was presuming the sort of high-profile target where kidnapping them would quickly get some snipers emplaced and/or a MOAB dropped on you. If you want to, say, steal a nuclear submarine, you can't just kidnap an admiral and force them to hand over the keys. :P
Well, 10 failed attempts doesn't necessarily hold water anymore.
Wasn't that whole "Can the FBI convince Apple to unlock this iPhone" case solved by backing up the NAND memory and constantly reflashing it after the 10 attempts were used up?
I imagine the same process can be applied in this case too
This is absolutely not a lab condition. You can very easily extract a fingerprint from a glass or so, as was done e.g. with Wolfgang Schaeuble, a German politician
>I shouldn't be surprised, but the reporting on this makes it sound way different than the actual research. Specifically, none of the research appears to have been performed on, or tested against ACTUAL SMARTPHONE implementations
That is exactly what the article says. Specifically:
The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions.
and
“To really know what the impact would be on a cellphone, you’d have to try it on the cellphone,” she said.
and
Dr. Ross acknowledged the limitations of the work.
Half of the article is about the limitations of the approach the paper used, so I fail to understand your criticism of the reporting.
While the article does say that ... eventually, the headline and the first two and a half paragraphs undermine your point.
Since most people won't actually read and digest the full article, but instead go by the headline "That Fingerprint Sensor on Your Phone Is Not as Safe as You Think" and read the first paragraph or so, none of the caveats matter much, people will walk away with the impression that this is a verified fact.
> The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life.
You are indeed correct. I wish someone would do a full test on how secure the readers are.
It should be easy on a phone you control. You can try five times quickly, then it stops accepting fingerprints until you put in the password. This is a major problem for an attacker, but if you're just researching it then you can put in the password to reenable fingerprint authentication and then get five more tries. You should be able to try 20-30 fingerprints per minute.
This paper investigates the security of partial fingerprint-based authentication systems, especially when mul- tiple fingerprints of a user are enrolled. A number of con- sumer electronic devices, such as smartphones, are beginning to incorporate fingerprint sensors for user authentication. The sensors embedded in these devices are generally small and the resulting images are, therefore, limited in size. To compensate for the limited size, these devices often acquire multiple partial impressions of a single finger during enrollment to ensure that at least one of them will successfully match
I skimmed the paper but I don't see which iPhone they were able to unlock with this method. Do you know if the resolution of the fingerprint scanner differs between iPhone models?
I have the feeling that the researched tried to unlock real phones and failed.
It sounds weird when you say you have made a research about security of fingerprint scanners on phones without actually trying the attacks on those phones.
> I have the feeling that the researched tried to unlock real phones and failed.
That sounds plausible.
Think about how much more impressive their results would be if they demonstrated the attack on real phones. But they have a paper to publish, so why detract from the paper by mentioning that tests on real phones didn't pan out.
> "Dr. Memon said their findings indicated that if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 to 50 percent of iPhones within the five tries allowed before the phone demands the numeric password, known as a personal identification number."
I don't understand how this is possible at all. I've always assumed that each fingerprint is essentially turned into a hash, and that there must be something like at least 10,000+ possible hashes. I mean, I used to belong to a gym that used a fingerprint reader for entry, and it correctly identified me (flashing my name) from the other 1,000+ members each time.
So as long as the hash space is reasonably large, it doesn't matter what these 5 magic imprints are, they still each convert to just 1 hash, no different from any other fingerprints.
Am I missing some critical aspect here to explain how "master prints" are even plausible -- how they could possibly act as "wildcards" for large swathes of hashes?
That's not how it works. The process of reading your retina / fingerprint is error prone. You can't take hash out of error-prone data blob!
My understanding is that matching the pre-saved template against a fresh scan is a process similar to measuring Levenshtein distance. There is some threshold, and sample with smaller error are accepted. This does imply that the iphone has somewhere stored your _unencrypted_, _unhashed_ template of your fingerprint.
But this is not my area of expertise. Perhaps a subject matter expert can comment.
I'm not an expert, but I remember getting an impression of a very principled approach to biometrics from John Daugman. This article is about iris recognition and I'm pretty sure it is worth posting in this context: https://www.cl.cam.ac.uk/~jgd1000/csvt.pdf
Indeed it is, inside a sensor (that's why so much trouble replacing one on iphone), gladly raw data never leaves it (same goes for Android as well, except really really old versions, like 4-)
Find the section titled "Secure Enclave." When the SE needs to store data on the filesystem, it's encrypted with a key that never leaves the SE. Effectively, assuming the encryption is implemented correctly, data 'owned' by the SE is never available to any other part of the system.
I addressed this when this study was discussed last week, but it's worth reminding that minutiae comparing is not the only technique used for fingerprint matching. [1]
Thanks for the link! Yes there are many ways, I always thought minutiae was most common/simplest. There are some interesting advancements also occuring in the optical tomography. [1]
> Full human fingerprints are difficult to falsify, but the finger scanners on phones are so small that they read only partial fingerprints. When a user sets up fingerprint security on an Apple iPhone or a phone that runs Google’s Android software, the phone typically takes eight to 10 images of a finger to make it easier to make a match. And many users record more than one finger — say, the thumb and forefinger of each hand.
> Since a finger swipe has to match only one stored image to unlock the phone, the system is vulnerable to false matches.
> “It’s as if you have 30 passwords and the attacker only has to match one,” said Nasir Memon
>> "Dr. Memon said their findings indicated that if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 to 50 percent of iPhones within the five tries allowed before the phone demands the numeric password, known as a personal identification number."
>I don't understand how this is possible at all.
You're confusing Sensitivity (also called the true positive rate), Specificity (also called the true negative rate), and conditional probabilities.
>I used to belong to a gym that used a fingerprint reader for entry, and it correctly identified me (flashing my name) from the other 1,000+ members each time.
This is the finger-print reader's sensitivity, P ( Access granted or positive identification | Correct key is supplied [your thumb] ). It is not Probability ( Access granted or positive identification | Incorrect key is supplied)
I think the point is that it recognizes their fingerprint, and doesn't mistake it for any of the 999 other users. If it can tell the differences between a thousand fingerprints, why can't it be sensitive enough to reject at least 999/1000 false fingerprints?
Think of it this way: What's the probability that one of the 5 master prints match their specific 1/1000 fingerprint, and not one of the other 999 customers? If you can distinguish between 1000 people, you should be able to distinguish a real from 999 fakes.
You're assuming an equivalent amount of entropy between the 1000 real fingerprints and constructed fake ones which are attempting to be as close as possible to the real one. That seems unreasonable to me.
You're still also only considering false negatives (user is erroneously rejected). You have no data points about false positives (user is erroneously allowed).
If the sensor always detects and admits Bob, even when it's Alice, you'd have the exact same success data for Bob.
>You're still also only considering false negatives (user is erroneously rejected). You have no data points about false positives (user is erroneously allowed).
As far as I understood, the system is distinguishing between its members so we have some data about false positives because OP was always identified as themselves and never as another member.
From that data point, how can you be sure that every single finger pressed to the reader doesn't identify as OP? You are assuming OPs low false negative rate has implications about false positives.
Edit: this type of reasoning is probably what lead to the recent authentication bypass flaw in Intel's AMT code. It just accepts anything passed to it as a valid password hash. That test is probably still passing in their CI system...
. . . because the gym still uses the system? If it didn't accurately distinguish between their customers, why would they still use it?
This is 100% not the same type of reasoning. We have reason to believe that the fingerprint accurately distinguishes between 1000 different options. False positive and false negative aren't meaningful terms here, because we're no longer dealing with yes/no results.
"If this authentication system didn't work nobody would use it" is literally the reasoning I mentioned above.
> we're no longer dealing with yes/no results
That's exactly what we're dealing with. Iterate through the list of fingerprints in the database, does provided == stored.
You might be interested in reading about CER (crossover error rate). It's the term used for discussing the trade-off between type 1(false positive) and type 2 (false negative) in biometric systems especially.
You really think the gym would use a system where a large portion of fingerprints match as OP? No, we're not dealing with yes/no. We're dealing with "which fingerprint matches the given data best", not "does the given data match a given fingerprint well enough". The scanner doesn't return "is this person OP", it returns "which person is this".
> it correctly identified me (flashing my name) from the other 1,000+ members each time
That tells you very little. Figuring out which print you're closest too is different from figuring if you match any of the prints on file. How well it does one doesn't really tell you how well it does the other.
Also 1,000 isn't very many. That only requires the same entropy as a 3-digit PIN.
If everybody was issued a unique PIN, sure, but if the PINs are picked at random you need a much larger pool of numbers to make 1000 unique values likely.
If 1000 people chose a three digit PIN completely at random, the odds of any one person's choice being unique are about 36% ((999/1000)^999) - i.e., about 360 people will get a unique number, the rest will share theirs with at least one other person. In fact, it's almost certain (about 99.9%) that one of the 1000 possible PINs will be picked by five people (see https://math.stackexchange.com/a/25878). That formula estimates that there's even a 75% chance that your group of 1000 people contains one group of six who all picked the same PIN.
If you go up to five digits, for a pool of 100,000 possible PINs, then the odds that one of a thousand random PINs is unique go up to 99%, so you likely only have 10 or so people who share a PIN. Six digits, you get to 99.9%, which means about half the time 2 people have a PIN collision.
So no, capturing enough uniqueness from a fingerprint (given that you don't get to allocate the fingerprints, they get chosen for you at random) to reliably pick out one person from 1000 requires at least as much entropy as a six digit PIN - probably more.
There are all sorts of reasons fingerprints are not a highly secure authentication mechanism. Just as there are all sorts of reasons passwords and other techniques are imperfect. Password entry can be observed. Chosen passwords are frequently insecure, particularly on smartphones where brevity is so important.
Fingerprints are an excellent mechanism for almost all threat vectors for your average consumer smartphone. Your friends, enemies, and criminals would have to go through enormous, expensive, and clearly unethical efforts to access your phone. Given the convenience and security of this, I'm entirely happy with the security of my thumbprint-encrypted iPhone.
It's important for people who are dissidents or engaging in criminal activity to be aware that their brain is more secure than their fingerprint, although that seems entirely obvious to anyone capable of maintaining a high security lifestyle.
>It's important for people who are dissidents or engaging in criminal activity to be aware that their brain is more secure than their fingerprint, although that seems entirely obvious to anyone capable of maintaining a high security lifestyle.
The problem with the brain is that it forgets. For example if you have an important piece of information that you encrypt with a long passphrase, you will likely have no problem decrypting it if you do so every day but if you don't use the passphrase for a few months, you probably won't remember it. However you probably will remember where you have the passphrase if you write it down and put it somewhere secret where nobody will be able to both find it and to know what it's for. IOW, don't hide the paper in your house.
Considering there is no 'active' part (e.g. no known secret) it cannot be used for authorization, only for identification. The 'kids unlock phone with sleeping parent and buy stuff' techniques are a clear proof of this. Fine for identification, do not use for authorization (e.g. using secrets like when you buy stuff).
I'm still fine with this threat vector. The idea is to prevent casual intrusion, not premeditated intrusion. If I put my phone on the dinner table, no one is going to send text messages.
Nearly all biometrics, except for physically invasive ones, are easily stolen.
All are forgeable.
Biometrics can never be revoked once compromised.
They're like the social security number of logins. Completely useless.
Using biometrics for security or identity violates practically every rule for secure credentials. They exchange convenience for extremely minimal security.
Perhaps the oft-cited username, not a password?
No, not even useful for that: for a mobile phone, a username isn't even needed in most cases because there's usually only one user on the device. It lends no additional security -- merely an extra step.
For a phone, a fingerprint is probably less secure than a swipe pattern.
It's security theater. Why do we keep equating biometrics with security?
For most people biometrics offer a better security posture than some of the alternatives.
The average user is at much greater risk of someone watching them enter a PIN/Password than having them capture and forge their biometrics.
I'm not a security expert by any means, but I have to ask- if it's acceptable and most people use a four digit pin to unlock a phone, is the idea of somebody going to the trouble of lifting and replicating fingerprints that worrisome?
"The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions. Still, the findings raise troubling questions about the effectiveness of fingerprint security on smartphones."
Modern fingerprint scanners use various methods to detect if it's a living finger or if it's a static image.
This "research" could not beat any phone using a modern fingerprint scanner with liveness detection.
Using fingerprints may not be a perfect solution but it beats 4-digit pincodes and passw0rds. Next level in a few years, we'll have retina scanners in our phones, cars and IoT including peppes pizza ads in Oslo. Then 1984 will look like a bedtime story for kids.
A fingerprint is not suitable as a username (as it can be physically damaged unrecoverably) or as a password (because it cannot be freely changed if potentially compromised.)
Biometrics are in general a bad way to implement security. Finger prints and iris scans can easily be stolen many times by just browsing a person's Facebook profile photos. We have already started depending on these to allow access to bank accounts.
I live in India, and there are already companies with phones that have iris and fingerprint scanners to link with each individual's Aadhar ID and grant access to all government and financial services including bank accounts, and even online shopping [1]. Unlike regular credit card transactions, these are supposed to be authenticated, so you cannot ask for a chargeback. Data for 130 million Indian people including their Aadhaar numbers and bank details was recently leaked accidentally. [2] There is a big disaster here just waiting to happen.
I use fingerprint screen unlock, because it's the most convenient screen unlock mechanism. The phone will not be unlocked by a mistake and it is very fast when you really want it.
I like especially the placement of the sensor on the back cover. When the phone is in front of my face it is already unlocked if I want it.
Honestly, I've never cared about the fingerprint reader for security. I just see it as a better way to prevent my phone from turning on in my pocket and butt-dialing someone.
I never put a password on my phone before the fingerprint reader. The apps that I care about protecting have password functionality built-in.
That is really clever. The Ur-fingerprint, developed using simple machine learning. Well, that's the end of using "minutiae" for recognition. Recognition has to use something that requires the features have the proper positional relationship to each other, such as a whole fingerprint.
You are missing the point. It's not for you to re-enter the PIN every once in a while, it's to prevent a potential attacker with physical access to your phone to unlock it, exactly when the phone itself it's not phisically with you (and so you have nothing to mess with).
Anyways it would only mitigate the risk without fixing the root problem.
The phone is covered with fingerprints from the owner anyway.
If you have the phone, you already have the "password". The fingerprint scan is just to make it a little bit annoying for attacker, so they'll factory reset instead of bothering to crack it.
It's not intended for any kind of real security.
Like many others here I never used to lock my phone at all until the fingerprint scan, and I don't consider the scan as a form of security, but rather as a quick way to turn on the phone.
> The phone is covered with fingerprints from the owner anyway. If you have the phone, you already have the "password".
This is a ridiculous assertion. On the front, I have an oleophobic screen and constantly wipe the phone (i.e., put in pocket). On the back I have a leather case that would be impossible to get prints from.
Do you know of any demonstration that isn't "lab conditions" where touchID is broken?
Exactly this. I've made the same comment other places on here. Fingerprint for username, 8 character alphanumeric for password and mandatory hardware 2FA fobs/keys.
As the article notes, you really need more than one imprint in order to get into a phone - the authors suggest that five distinct imprints could get into about 40-50% of phones, which fits within the 5 try limit imposed by many systems.
> The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions. Still, the findings raise troubling questions about the effectiveness of fingerprint security on smartphones.
It's pretty good at European languages, but still terrible at Arabic and Japanese. The system still has a very shallow understanding of the content. One of my primarily Arabic-speaking colleagues was actually offended by Google Translate butchering their language so badly; their culture places a relatively high value on poetry, calligraphy, etc.
As an exercise, try translating your search queries into Arabic before searching. Then, let Google translate the results for you. It is hilarious.
I wonder how much Arabic translation suffers from a lack of available data to feed the ML. [1]
> Nor are foreign books much translated: in the 1,000 years since the reign of the Caliph Mamoun, say the authors, the Arabs have translated as many books as Spain translates in one year.
I am somewhat surprised that our ML is not yet strong enough to make good use of a relatively small, but precisely translated work, such as the Qur'an. The success of human anthropologists in deciphering the Rosetta stone to learn the ancient Egyptian languages must have had as much to do with understanding the context, the culture and tools of the time, as actually cracking a code.
> The fact that the fingerprint sensors on smartphones are not quite as secure as the manufacturers want us to believe, has already emerged with the first iPhone with this feature.
Ok, a bit awkward
> The technique has improved since then, the methods to crack it but also turn.
Uh, what?
> And not with the means of the analog, but the digital world - via machine learning and an artificial intelligence.
I agree that if you're scanning, you might not realize that you're reading a translation, but it's very obvious to me if I slow down and actually read it.
Rumgeilt was later in the English translation of the article.
I know a little German, a little French and took Classical Greek in college, as well as Intro to Linguistics (where, iirc, we covered a bit of Swahili grammar for some damn reason). I am pretty comfortable with both weird idioms not translating directly and with finding close, if uncommon, matches between some other language and words or phrases in English. So, the "in turn" part doesn't disturb me. I mean, you could translate it as something like "They are taking it in turns" or "but the methods to crack it also got their turn to improve."
basically, there's just a larger body of translated work to develop from for western european languages because the EU has to translate all official documents between the major languages
> One explanation could have to do with the text the algorithm uses to generate its translations. Google Translate works by drawing from vast banks of text, searching for patterns in language use to match future translation requests. Some of those texts include documents from the United Nations and the European Union that have to be translated into multiple languages.
I didn't look closely at the link or url and didn't realize that I was reading Google Translate until I saw your comment. That's scary good translation.
True but isn't the job a lot easier because it's going from German to English, which are closely related? I don't want to take away from Google's achievement but wanted to point that out to set expectations.
"Experiments on a capacitive fingerprint dataset, similar to the one used by Apple TouchID, showed that it is possible to break 6.88% of users’ account in 5 attempts if the FMR setting of the matching algorithm (Verifinger 6.1 SDK) was set to 0.01% and each subject was enrolled with one finger and 12 partial impressions per finger."
It seems that using commercial fingerprint software and captive systems 'similar to the one used by Apple TouchID' is very different from actually testing your theories against, you know, Apple TouchID.
The way you believe TouchID works may be significantly better or worse than it actually does, so don't you need to test iPhones if you're going to be giving scary quotes to reporters about them being insecure?