Researchers are able to create fake fingerprints that result in a 20% false-positive rate.
The problem is that these sensors obtain only partial images of users’ fingerprints—at the points where they make contact with the scanner. The paper noted that since partial prints are not as distinctive as complete prints, the chances of one partial print getting matched with another is high.
The artificially generated prints, dubbed DeepMasterPrints by the researchers, capitalize on the aforementioned vulnerability to accurately imitate one in five fingerprints in a database. The database was originally supposed to have only an error rate of one in a thousand.
Another vulnerability exploited by the researchers was the high prevalence of some natural fingerprint features such as loops and whorls, compared to others. With this understanding, the team generated some prints that contain several of these common features. They found that these artificial prints were more likely to match with other prints than would be normally possible.
If this result is robust—and I assume it will be improved upon over the coming years—it will make the current generation of fingerprint readers obsolete as secure biometrics. It also opens a new chapter in the arms race between biometric authentication systems and fake biometrics that can fool them.
More interestingly, I wonder if similar techniques can be brought to bear against other biometrics are well.
Posted on November 23, 2018 at 6:11 AM •
This is a fun steganographic application: hiding a message in a fingerprint image.
Can’t see any real use for it, but that’s okay.
Posted on November 12, 2018 at 6:17 AM •
Police in the UK were able to read a fingerprint from a photo of a hand:
Staff from the unit’s specialist imaging team were able to enhance a picture of a hand holding a number of tablets, which was taken from a mobile phone, before fingerprint experts were able to positively identify that the hand was that of Elliott Morris.
Speaking about the pioneering techniques used in the case, Dave Thomas, forensic operations manager at the Scientific Support Unit, added: “Specialist staff within the JSIU fully utilised their expert image-enhancing skills which enabled them to provide something that the unit’s fingerprint identification experts could work. Despite being provided with only a very small section of the fingerprint which was visible in the photograph, the team were able to successfully identify the individual.”
Posted on April 19, 2018 at 6:51 AM •
It’s routine for US police to unlock iPhones with the fingerprints of dead people. It seems only to work with recently dead people.
Posted on March 30, 2018 at 6:11 AM •
Embedded in this story about infidelity and a mid-flight altercation, there’s an interesting security tidbit:
The woman had unlocked her husband’s phone using his thumb impression when he was sleeping…
Posted on November 9, 2017 at 2:45 PM •
This is a pilot project in Australia:
Individuals who have shared intimate, nude or sexual images with partners and are worried that the partner (or ex-partner) might distribute them without their consent can use Messenger to send the images to be “hashed.” This means that the company converts the image into a unique digital fingerprint that can be used to identify and block any attempts to re-upload that same image.
I’m not sure I like this. It doesn’t prevent revenge porn in general; it only prevents the same photos being uploaded to Facebook in particular. And it requires the person to send Facebook copies of all their intimate photos.
Facebook will store these images for a short period of time before deleting them to ensure it is enforcing the policy correctly, the company said.
At least there’s that.
EDITED TO ADD: It’s getting worse:
According to a Facebook spokesperson, Facebook workers will have to review full, uncensored versions of nude images first, volunteered by the user, to determine if malicious posts by other users qualify as revenge porn.
Posted on November 9, 2017 at 6:23 AM •
There’s interesting research on using a set of “master” digital fingerprints to fool biometric readers. The work is theoretical at the moment, but they might be able to open about two-thirds of iPhones with these master prints.
Definitely something to keep watching.
Research paper (behind a paywall).
EDITED TO ADD (6/13): The research paper is online.
Posted on May 24, 2017 at 6:44 AM •
Mike Specter has an interesting idea on how to make biometric access-control systems more secure: add a duress code. For example, you might configure your iPhone so that either thumb or forefinger unlocks the device, but your left middle finger disables the fingerprint mechanism (useful in the US where being compelled to divulge your password is a 5th Amendment violation but being forced to place your finger on the fingerprint reader is not) and the right middle finger permanently wipes the phone (useful in other countries where coercion techniques are much more severe).
Posted on January 26, 2017 at 2:03 PM •
There’s a Kickstarter for a sticker that you can stick on a glove and then register with a biometric access system like an iPhone. It’s an interesting security trade-off: swapping something you are (the biometric) with something you have (the glove).
Posted on November 14, 2016 at 9:26 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.