Hacking Fingerprint Readers with Master Prints

There's interesting research on using a set of "master" digital fingerprints to fool biometric readers. The work is theoretical at the moment, but they might be able to open about two-thirds of iPhones with these master prints.

Definitely something to keep watching.

Research paper (behind a paywall).

EDITED TO ADD (6/13): The research paper is online.

Posted on May 24, 2017 at 6:44 AM • 15 Comments


Michael PMay 24, 2017 7:15 AM

Isn't this more a case of "we might be able to fool two thirds of phones if our recognition algorithm matches the phone's, we can defeat any mechanism the phone uses to distinguish real fingers from fake ones, and there are enough fingerprints registered on each phone"? As I understand it, the authors don't claim to use the iPhone's real sensors or algorithms.

MitakeetMay 24, 2017 8:50 AM

Mythbusters did a nice show on the weaknesses of physical security and used gummy bears to fake a fingerprint taken from a co-host. Worked like a charm. Indeed, one of the devices was opened with a Xerox of a fingerprint!

Jim KMay 24, 2017 6:11 PM


Thanks for he Mythbuster's links.

I think that was what I wanted to do when I grew up.

benderMay 24, 2017 6:29 PM

You don't need a master print - a 3 year old will do.

I witnessed a friend's 3 yr old son unlock 2 iPhones (belonging to different owners) by mashing the fingerprint reader with his tiny hands for about 30 seconds each.

Patriot COMSECMay 24, 2017 8:08 PM

It is like Spy vs Spy in Mad magazine. One spy is in a white hat, the other is in a black hat, but they are otherwise identical. They fight it out and play tricks on each other while we watch.

High tech often turns out to be something we cannot trust. The technology we can trust is often simple: a one-time pad, a mercury barometer, etc.

It is an uncomfortable fact: information high tech is leading us into a world of mistrust and constant tricks--with no end in sight. This fact does not bolster the civil liberties of a democracy, especially a small one. It favors the controlling interests of large, centralized, and hierarchical states and corporations.

HermanMay 25, 2017 3:48 AM

I've had my iPhone unlock and send a text msg while in my pants pocket. So it is rather unsurprising that there are more rigorous atracks possible also.

Clive RobinsonMay 25, 2017 4:39 AM

The paper is an interesting paper but a little maths heavy in the middle. That said if you just read the first page and a bit and the conclusion you will get a sufficient overview to decide if you want to dive into the maths ;-)

If you do dive in, and can think a little hinky you can see how some of it relates to "the human problems" with the XKCD "Horse battery..." password system. As well as to most other "sampling systems" which all current biometric sensors are.

Thus whilst the work is original, it's not unexpected / surprising. Which often is an indicator of an "on target torpedo" about to blow a security technology out of the water, or at least hole it below the water line so it sinks beyond hope of recovery.

AlexMay 25, 2017 4:44 AM

This reminds me of the paper from the other week about defeating basically all image-recognition algorithms by putting a slight texture over your image.

ab praeceptisMay 25, 2017 4:54 AM

Ooooooooooooooooooh, how disappointing. And it looked always so cool in old science fiction movies.

Next month: retina readers fooled.

In 10 years (or am I too optimistic here?): How the snakeoi ... err, security industry fooled us with ever new "bullet proof high tech security" theater and poor technology.

How about "use pass phrases as complex and with as many chars as you feel your security is worth to you!" (and if it's worth a lot to you then also have a look at Thoths product(s)).

Clive RobinsonMay 25, 2017 6:49 AM

@ Alex,

... about defeating basically all image-recognition algorithms by putting a slight texture over your image

You might want to have a look back to "Digital Watermarking" that was the "golden hope" of the DRM vultures back at the turn of the century. It was much lauded untill Ross J. Anderson over at the UK's Cambridge Computer Lab's showed that a slight amount of two dimensional non linear stretching/compression and a little twisting, nearly all of which is imoerceptable to the human eye killed most watermarking systems.

It was kind of the death knell of Digital Watermarking which rapidly deflated and has all but disappeared since.

albertMay 25, 2017 12:30 PM

@Patriot COMSEC,

"...a one-time pad, a mercury barometer..."

Don't forget the pendulum clock, used by astronomers for timing celestial events, calibrated by star sightings and -very- accurate.

. .. . .. --- ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.