Hacking a Fingerprint Biometric

Embedded in this story about infidelity and a mid-flight altercation, there's an interesting security tidbit:

The woman had unlocked her husband's phone using his thumb impression when he was sleeping...

Posted on November 9, 2017 at 2:45 PM • 28 Comments

Comments

Rhys November 9, 2017 3:25 PM

Security?

Hard to keep your thumb off the sensor when your asleep & your "seat mate" has access to both.

At least if the philanderer had had a conscience, he might not have slept so soundly.

Luckily for him and the flight crew "she" wasn't Lorena Bobbit (née Gallo).

A1987dMNovember 9, 2017 4:15 PM

Huh, I had heard of parents unlocking their children's phones this way long before.

Peter HellmondsNovember 9, 2017 4:37 PM

Note to iPhone users: starting with iOS 11, you can disable thumb unlock by hitting the power button five times in succession, then hit cancel. After that, iOS 11-powered iPhones require passcode to unlock.

That One GuyNovember 9, 2017 8:48 PM

*Insert "if you have done nothing wrong" argument here*
Obviously many reasons why that attitude and statement above is wrong.

WaelNovember 9, 2017 8:56 PM

“In respect of passenger privacy we do not comment on individual cases,” a Qatar Airways spokesperson said.

Right! We only comment on collective cases. But for the right price, we'll give you a translated and subtitled video. -- Son of banana (Sheikh Tamim bin Hamad Al Thani, son of moza)

Moza [singular] = Banana (his mother's name)
And Banana came from Arabic, too. Banan = finger

His well-deserved derogatory name is: Tamim Bin Moza :)

Ergo SumNovember 9, 2017 9:04 PM

That's nothing new and it is the Achilles heel of bio-metric authentication. Any person, who is a sleep or incapacitated by any other means, is subject for unauthorized bio-metric access.

Back in mid-2000, Mercedes had the idea to protect the owner of their cars with fingerprint start of the engine. It sounds nice and easy to do. Until the car thief chops off the owner's finger with the machete and takes off with the car:

h**ps://scottthong.wordpress.com/2007/03/20/malaysia-car-thieves-steal-finger-2005/

Mercedes had learned a lesson and they stopped offering bio-metric start of the engine.

Granted, fingerprint readers are much more advanced by now and it can sense pulse, among other things. The chances are that chopping off the finger would not work for thief nowadays, but who wants to take a chance?

justina colmenaNovember 9, 2017 10:25 PM

Chopping off the finger is unnecessary, brutal, and of no use whatsoever for a biometric thief. Either the victim has been murdered and is already dead, or somehow the finger and the rest of the body have yet to be disposed of without raising alarm.

No. Absolutely not. Take an artificial impression of the fingertip while the victim is sleeping, and after you have made the cast in relief of some soft pliable material, you can rub it with your own sweat. Much more feminine, and much more effective, because the victim does not know his identity has been stolen.

It's like stealing my bank card. It just won't help you any longer than it takes me to telephone the bank to cancel the card, unless you can kill me and conceal my death. That is, unless you can somehow replicate or re-create my bank card without my knowledge and lie in wait for an upcoming bank deposit or other transaction in which to commingle and hide the theft.

DroneNovember 9, 2017 10:59 PM

Scheming helicopter wife, no wonder the husband is shopping around for a replacement ;-/

WaelNovember 9, 2017 11:08 PM

@justina colmena,

Chopping off the finger is unnecessary, brutal, and of no use whatsoever for a biometric thief.

How would one practically test this hypothesis? Uh! That's how yubitsume started, after they caught the Yakuza QA engineer -- who didn't want to loose a finger -- fudge data!

RatioNovember 9, 2017 11:35 PM

@Wael,

Moza [singular] = Banana (his mother's name)

I think that only works in transliteration: ا ≠ ة. Clever, though. ;-)

Speaking of bananas, موز has a(n etymological) Persian connection.

Curiously, موزه in Persian means “boot”, as does… پوتين. :-O

Need I say more…?

WaelNovember 10, 2017 1:09 AM

@Ratio,

I think that only works in transliteration

No! His mother's name is moza which means banana. In Arabic it means Banana. No transliteration. Someone saw it fit to call his or her daughter a Banana, and that happens to be his mother: Sheikha Mozah, two of the main Pilar's of terrorism in the region. The banana and her son.

Need I say more…?

Are you saying the Russian president is a boot (as in shoe?) How could you! Show some respect ;)

Ben OliverNovember 10, 2017 1:24 AM

This is a pretty decent ad for the new iPhone, which allegedly won't work with your eyes closed (and has no fingerprint sensor).

It's also a good ad for just using a passphrase...

RatioNovember 10, 2017 2:03 AM

@Wael,

His mother's name is moza which means banana.

You're still transliterating. His mother is called موزا, not موزة. But don't worry, I handed you their nefarious Iranian and Russian connections. Holler if you need others. ;-)

Are you saying the Russian president is a boot (as in shoe?)

As in “shoe”, yes. But, no, I'd never say that پوتين = پوتين. That clearly makes no sense! 8-)

And you know who was called merely “little boot”? Caligula. Says it all, really.

WaelNovember 10, 2017 2:21 AM

@Ratio,

No! I insist that her name is banana. Do a google search on this: "ام تميم موزا" (mother of Tamim moza) and tell me how many hits spell her name as you say. Maybe Wikipedia. Either way, they're pronounced the same - a freakin' Banana. Don't raise my blood pressure: you stick with Persian and Phoenician and leave the rest for me. Sounds like a fair division :)

Holler if you need others. ;-)

Why not! I like word origins, send 'em my way!

RatioNovember 10, 2017 9:04 AM

@Wael,

Do a google search on this: "ام تميم موزا" (mother of Tamim moza) and tell me how many hits spell her name as you say.

I'd expect Al Jazeera to get this one right (being Qatar's mouthpiece and all), and they have her as الشيخة موزا بنت ناصر المسند. As do the BBC, Deutsche Welle, France 24, and others. But you're right, there are also sites (like Al Arabiya and CNN, IIRC) that write موزة instead of موزا. “Banana” it is. :-)

Don't raise my blood pressure: you stick with Persian and Phoenician and leave the rest for me.

That's really gonna cramp my style. :-(

I like word origins, send 'em my way!

Well, here's one involves muffled noises, Arabic, and more:

What if, and I'm not saying this is what happened, but what if someone was looking for a handle that would defeat any and all forms of profiling. Maybe this person, who is known as Mr. [REDACTED] in real life, was —as so often— at his favorite restaurant, ready to order more falafel, when it occurred to him that he could “encipher” his real name using the language that gave the world صفر. “Sheer brilliance!”, he humbly admitted to himself. Not knowing any Arabic, he consulted the waiter, who told him that [REDACTED] is أنف. “Scusi, I mean how to write, per favore.” The waiter took his pen, and jotted down أنف on a scrap of paper. This wasn't helping much: “Mamma mia, I can't read that. Can you use l'alfabeto latino?” The waiter sighed, rolled his eyes while scribbling “[REDACTED]”, and wondered how long he'd have to put up with this guy this time. He returned the piece of paper. “Grazie mille! I will use this right away. Il conto, per favore.” Relieved, the waiter turned around as Mr. [REDACTED] knocked over his glass, spilling its contents. The ink of the initial ' had run to form an i

(You know the rest.)

someone elseNovember 10, 2017 10:57 AM

Okay, I admit I haven't been fluent in a couple of decades, but according to my portable dictionary, "banana" is "موز" without a tamarbutta or alif or anything else following, singular or plural. However, even if it were, it doesn't really strike me as having any significance whatsoever.

Contrary to the West where we talk about the purported meanings of names, for Arabs the vast majority of names are either Biblical or are actual words with meaning and normal usage. Some are less common usage, but that doesn't stop common words from being used as names.

And in the West we have humorous names. I never met him personally, but I knew a Joe Blow. Then there was major Coker. Or the ever popular sergeant Major. All without resorting to shifts in spelling, pronunciation, transliteration, or anything else.

While I appreciate language jokes and word play, the only times I find tricks to be appropriate is when the trick is the joke. E.g., "godspitonya" (which I am informed is very offensive so those who don't appreciate bad, tasteless language word play are encouraged to ignore it).

As for "أنف", the way I heard it was the word "influenza" is derived from Arabic أنف العنزة.

For a more graphical joke write "سللنم" and ask the (Arab) linguist to read it.

WaelNovember 10, 2017 6:43 PM

@someone else,

but according to my portable dictionary, "banana" is "موز" without a tamarbutta or alif or anything else following, singular or plural.

a banana = موزة
bananas = موز

Contrary to the West where we talk about the purported meanings of names

Names in the west, as probably everywhere else have a meaning

And in the West we have humorous names. I never met him personally, but I knew a Joe Blow.

I know much worse names

For a more graphical joke write "سللنم" and ask the (Arab) linguist to read it.

As far as I know, this isn't an Arabic word. What is it supposed to mean, out of curiosity?

WaelNovember 10, 2017 7:17 PM

@Ratio,

That's really gonna cramp my style. :-(

Alright, alright. Restriction lifted.

handle that would defeat any and all forms of profiling

Won't defeat my profiling techniques.

he consulted the waiter, who told him that...

Such a helpful waiter! Unlike the grouchy ones I frequently encounter. So much spelling mistakes there!

(You know the rest.)

Nice story! Italian, noses... Yes! I know the rest and the base. The Septum, that is ;)

Clive RobinsonNovember 13, 2017 7:19 PM

@ Anders,

... the unfaitful man should sleep with motorcycle helmet ...

You don't need to be "unfaitful" to have a wife who "thinks you are" ;-)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.