Reading the paper, it looks like they just demonstrate classification by left loop/right loop/whorl. That's a long way from recreating a full fingerprint.
I feel like someday we’ll be able to parse the electromagnetic waves that emit from our brain as a result of our basic internal thoughts. That is, it should be theoretically possible to read minds at a distance.
They are pretty similar. When you look at things like privacy and security in light of human actions and behaviors, then look at our ability to record the entropy from those actions, a whole lot of what we thought was private can be divined by those that can collect enough of this waste.
>Extensive experimental results in real-world scenarios demonstrate that
Printlistener can attack up to 26.5% of partial fingerprints
and 9.3% of complete fingerprints within five attempts at the
highest security FAR setting of 0.01%
This reminded me of power line frequency[1] being used to identify when and where recordings were taken. Governments keep historical records of subtle changes in power frequency and can extract the background hum to identify location and time.
I wonder if they can do that with gps. Like record a short blip of "unlocked" gps spectrum, then recreate the location offline later using saved ephemerals and other data.
> The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live.
Is there really enough information left for this method after the sound has been lossily compressed by any of those apps?
That attack is more about timing than about sound. There is some information available from the sound of a keystroke, with a very good microphone under ideal conditions each key could be identified uniquely, but that's not the main vector. Some sequences are easier to type than others by their very nature, and individual typists have idiosyncratic variance in how easily/fast/accurate they are at a given sequence. That's the main trick used to derive what's typed from a recording of it happening, and compression doesn't reduce that information, so long as the keypresses are audible.
Actually successfully pulling prints(and getting more than smudgy partials) and then translating those lifted prints into something useable is somewhat time consuming and is not a trivial skill.
Like most security measures, biometrics are typically ‘good enough.’
"Why bother when you can pick them up from any doorhandle, coffee cup, pen, table surface, or just a photograph at super high-res."
Most of those require being loated in the same area and generally even at a similar time (for high use areas). This would be more like the photo attack where you can be located far away.
> Why bother when you can pick them up from any doorhandle [...]
Can you imagine how much it costs to pick fingerprints from millions of users by your method?
Sound can be recorded over the internet. This enables web sites to identify users in a very cheap way by simply adding a slider and sound recording on a web page overlay: "Slide to unlock contents".
Absolutely. The potential for mass (and covert) gathering of sensitive
data via smartphones is astonishing. If an attacker has control of
your phone they can now trivially get your voice, face and iris scan
to clone. And now your fingerprints.
Smartphone security is not going to get better any time in the next
decade.
All of which lends weight to my argument that biometrics as access
control is the single most ignorant idea in the history of computing.
I am genuinely hard pressed to think of anything dumber.
Aha, blind fingerprinting (literally) via audio? Yep that's a vector
that wasn't on my mind. If you have a database could ID a remote user
from swipes. That's a LE win. Fair do. I also discovered (about 2016
while working on audio phone apps) that we could already ID users from
their tap patterns, finger length, style etc - but there's no common
database of that, so less useful.
The nice thing about fingerprints is that if you refuse to give it to an adversary, they'll just cut the finger off. If your fingerprint doesn't work, you're clear.
If you refuse to give them your password, there's virtually no limit to the possible extent of the torture. You can't prove that further torture is pointless.
And on the mobile site (like https://m.xkcd.com/538/) the text "alt-text" itself is a clickable link that toggles display of the alt-text on and off. (Not reachable by tab key, though, for some reason.)
This would be amazing if true, but after being burned on a bunch of "too crazy to be true" tech stories recently (toothbrush bot armies anyone?) I'm very skeptical. The idea that there is enough resolution in the sound of a finger swipe to determine the fingerprint ridges on that finger is really suspect to me.
The toothbrush bot army story got started by a Swiss newspaper writing about a scenario they heard from a cybersecurity company and claiming that even though it sounds like a Hollywood movie, "this really happened". When the company in question was reached for comment, they said it was hypothetical.
In the end, the story's spread can be explained by a journalist's simple misunderstanding that made the story much more virulent.
In this case, the journalist probably also doesn't understand the technical details, but we have a link to the researchers' own write-up right there in the article, which makes it much easier to rule out simple misunderstandings. So the situation is completely different.
That said, they're not reconstructing the fingerprint ridges from the sound the way you're probably imagining. Instead, they build on an existing attack exploiting fingerprint readers' error tolerance with a set of "masterprints" that are unusually likely to be accepted as a match, and the sound is used to determine which masterprint to use first.
> In the end, the story's spread can be explained by a journalist's simply misunderstanding that made the story much more virulent.
Bollocks, you're letting the "journalist" off way too easily. That toothbrush story was simply "a story too good to vet", meaning, sure, the author had a convenient excuse blaming it on a "misunderstanding", and while I don't believe the author was necessarily lying, I do believe they had no incentive to dig any more deeply because the toothbrush bot army story was already clickbait enough.
AFAICS, it wasn't the journalist's fault. It was the Swiss PR spokesman. While the company concerned made a mild followup statement implying the journalist misunderstood because of a translation error, both parties spoke Swiss German as a native language.
I also have to admit my skepticism. Skimming through the paper, I don't think they emulated "real-world conditions" as claimed in the conclusion. They had participants swipe the screen 25 times in a row. Real-world conditions would be giving them 12 hours of recording throughout the day, or something like that, because knowing when and where to look is probably a major challenge on its own.
I'll also add that even if true, it's probably not a huge practical issue. Fingerprints are mostly used to secure personal devices: phones, sometimes computers. If I were to have your full fingerprints then that would be mostly useless because I don't have access to your physical device. Even things like "purchase on App Store with fingerprints" usually works by having the fingerprint only secure a key on the device itself (rather than sending the fingerprint data over the network).
And if you have access to your physical devices, then I almost certainly also have access to your fingerprints via the good ol' "dust for prints" technique.
There was a "fingerprints for everything!" push a decade or so ago, and that was harshly criticized because you leave fingerprints everywhere, and you can even lift them from photographs.
Certainly the "enormous economic and personnel losses, and even a potential compromise of national security" claim at the start of the paper seems rather exaggerated, even hysterical.
I don't think that real-world conditions would be giving them 12 hours of recording throughout the day - a malicious app that explicitly asks people to swipe left/right on pictures of kittens is a very realistic attack scenario and would know exactly when and where to look for the swipes.
The 'toothbrush bot armies' are entirely believable though. The story was not real, but is completely within the realm of reality.
E.g. Perhaps the toothbrush has a connectivity check to OralB servers that triggers once per hour, but you can change it to check a victim webpage once a millisecond.
All there would need to be is an exploit that allows someone to (1) identify and talk to the toothbrushes, (2) coerce the toothbrush to ping an arbitrary IP, and (3) cause step 2 to happen many times for just one trigger.
> Yes it has an API, but that doesn't mean it's on the internet.
See the second link, the "Web API" section. This is the part tells me that it's on the internet.
> WEB API
> The Oral-B cloud service offers fast and reliable real-time access to Oral-B brushing activity. Fetch brushing data ranging from session frequency and duration to activity stats, achievements and more. Integrate brushing activity data* with health or lifestyle applications.
I don't know about all the older models, but I know the latest Oral-B smartbrush connects directly to the internet using Wi-Fi.
I know someone who owns an "Oral-B iO series 10" and they said they connected it directly via Wi-Fi. It's possible they got it wrong, but multiple product reviews on the internet explicitly mention difficulties getting their Wi-Fi password onto the device.
> The story was not real, but is completely within the realm of reality.
Of course. A good lie is defined by it being relatively believable. Re: the viability of the exploit, my understanding is that most smart toothbrushes do not connect to the Internet, and even if they did, the huge numbers originally presented in the story (3 million toothbrushes) are astronomically high.
Actually, there are two things that stick out to me in the paper.
1 The low FAR (False Accept Rate) is unbelievably high at 0.01%
2 The "partial prints" are described as single or "mixed" minutia
The FAR is 1-2 orders of magnitude off of even cheap mobile device authentication.
The described size of the partial prints imply that the relative location of partials is not extractable.
Since most fingerprint matchers rely on multiple (3-4) minutiae at a minimum and their relative location along with ridge orientation and pitch correlations it seems like this doesn't provide necessary information. More importantly, even with more information it can't construct that relative information, because it can't resolve symmetries (certainly not without knowing the direction of motion for the swipes and the orientation of the finger) correlated with those sounds. That requires other out of band information.
It's interesting work, but there's probably a reason that you don't see fingerprint matchers with decent FAR/FRR using only the microphone on a mobile device and some software. There are a $B reasons to develop that every year, and yet there hasn't been one developed for 15-20 years.
Why wouldn't it know the direction of motion for the swipes and the orientation of the finger? Any mobile app has access to the touchscreen input which provides exactly that information.
Unless you're playing fruit ninja there's really quite little control over the speed and direction of swipes... many people swipe very little at all or with a different finger than they enroll in biometrics or type on the screen. Some even swipe with multiple fingers.
Then there's the fact that there are more than 20 minutia per finger so when referring to orientation, this means the angles and what portion of the finger is in contact with the touch surface... and thus which of those minutia (swirl, end, fork, etc) are in generating any sound.
What I hear in your comment is that if you want to steal people's fingerprints, you'd have to target-advertise them a clone of fruit ninja, possibly designed so that certain specific angles of fingers are clearly optimal for doing well at the game.
If you want to steal a single print, you would need a moderately long game and pliable player along with wide angle synchronized video that imaged hand/finger orientation. If the video isn't good, or they use different fingers intermittently, or only one orientation, or they have a callus on their finger, or they have very fine/course ridges, too many forks/ends, an irregular accidental whorl or arch, or there's noise, etc... you wont' get a single print with high enough resolution to match. That still may not be a print they use for authentication.
Most people use their forefinger or a thumb to swipe, and their thumbs to match/type, and multiple fingers or both thumbs to scroll/zoom.
More interesting is that if one had full knowledge of a persons prints then perhaps with microphone, touch tracing, and wide angle video, one could compare expected vs measured sounds. This is a one-one confirmation rather than one-many match. Perhaps it could prevent long term usage after a person had unlocked their device and another was using it.
As far as I can tell, they don't actually draw a fingerprint from the point cloud they form, yet generally I agree.
Some seem to be saying its not that bad from a personal credit card or phone unlocking thief perspective. However, my main concern is with large nation state groups that have access to pre-existing fingerprint database files.
There's something here that feels like the NSA, FBI, FSO/Spetssvyaz, 3/4PLA, Unit 8200, GCHQ, BfV, DGSE, CSE, TERM, and ISI would probably all have their "figurative" ears perk up.
The toothbrush botnet story was also spread by tom's hardware in the English-speaking world. It seems like what they publish should be taken with a spoonful of salt.
I would assume you're correct if they were the same level of audio, but my joke was about overpowering the swiping sound entirely, to the point where a microphone wouldn't be able to pick it up anymore.
If this is true does this mean we don't need fingerprint scanning hardware any more, but we can just use a microphone and software to unlock a device when the user runs their finger over any convenient surface?
> “up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%.”
I wonder how "partial" is defined.
But anyway, the fact that you can even hear any sounds of swiping feels odd to me. Is this just something Apple could filter out of the audio data it provides to applications? I know nothing about audio processing.
This sounds completely impossible. First off, swiping a finger on a greasy glass screen doesn't make any sound, at least nothing that a phone microphone could pick up. Secondly, how on earth could you possibly reconstruct a fingerprint from a sound of it moving on a surface?!
>> Following tests, the researchers assert that they can successfully attack “up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%.”
I wonder if I'm in the lucky majority, and my fingerprints sound secure
