Three Indian-American researchers have shown that the fingerprint-based security systems used in smartphones and other gadgets are way more vulnerable to hacking than we imagined.
Monali Sarkar reports.
There is nothing quite as convenient these days as a one-stop fingerprint access -- goodbye multiple passwords -- to our smartphones and the many apps it holds.
After all, what can be more secure than our unique fingerprints, right?
Well, three Indian-American researchers just burst that bubble.
In a study titled MasterPrint: Exploring the Vulnerability of Partial Fingerprint-based Authentication Systems, which appeared in IEEE Transactions on Information Forensics & Security last month, they showed how the fingerprint-based security systems used in smartphones and other gadgets are a lot more vulnerable than we imagined.
The study began when research team leader Nasir Memon -- BITS Pilani alumnus, and professor of computer science and engineering at New York University Tandon School of Engineering -- dug into Apple's identity-authentication software patent, which uses partial fingerprints instead of a full fingerprint.
According to NYU Tandon, that is where the vulnerability lies: 'They scan and store partial fingerprints, and many phones allow users to enroll several different fingers in their authentication system. Identity is confirmed when a user's fingerprint matches any one of the saved partial prints.'
The researchers found that it was possible to have enough similarities among different people's partial prints that one could create a 'MasterPrint' -- one that could unlock multiple phones.
Aditi Roy, a NYU Tandon postdoctoral fellow and lead author of the paper, told Rediff.com, "As more and more financial transactions -- for example, mobile banking and credit card payment -- are conducted on fingerprint-enabled devices such as smartphones, issues related to identity theft and malicious access can lead to unprecedented financial damages.
"Vulnerabilities of fingerprint-based authentication systems can undermine the public's faith in using biometric solutions. So, we wanted to perform a detailed security analysis of such systems that employ small sensors."
Roy -- who holds an MS degree and a PhD from the Indian Institute of Technology-Kharagpur and whose research interests include machine learning, image and video processing, biometrics, human-computer interaction, computer vision, pattern recognition, and computer security -- was responsible for the actual running of the experiments.
"We started our analysis using 8,200 partial fingerprints," she told Rediff.com. "Using commercial fingerprint verification software, we found an average of 92 potential MasterPrints for every randomly sampled batch of 800 partial prints."
The researchers defined a MasterPrint as one that matched at least 4 percent of the other prints in the randomly sampled batch.
Analysing the attributes of the MasterPrints that were culled from the real fingerprint images, they built an algorithm to create synthetic partial MasterPrints.
"Our experiments," said Roy, "showed that synthetic partial prints have an even wider matching potential, making them more likely to fool biometric security systems than real partial fingerprints."
The research, funded by the National Science Foundation, was a collaboration between researchers from the New York University Tandon School of Engineering and the Michigan State University College of Engineering.
The figures, though the work was done in a simulated environment, were alarming.
With digitally simulated MasterPrints -- depending on how many partial fingerprint impressions were stored for each user and assuming a maximum number of five attempts per authentication -- they "successfully matched between 26 and 65 percent of users"!
To put it in perspective, when a hacker tries to crack a PIN-based system with a commonly used password like 1234, that password is right about 4 per cent of the time.
And according to Roy, "The more partial fingerprints a given smartphone stores for each user, the more vulnerable it is."
As Memon explained to The New York Times, 'It's as if you have 30 passwords and the attacker only has to match one.'
Roy told Rediff.com, "We expected that MasterPrint will be able to attack other users. But we were surprised with the high matching capability of the MasterPrints... Though the actual number may vary depending on how many partial fingerprint impressions are stored for each user, the results show how information loss in partial fingerprints increases the risk of attack at an alarming rate."
The researchers have not conducted any testing with real phones, and security experts have pointed out that the match rate would be much lower in real-life conditions, and the actual risk "difficult to quantify".
"I agree that in real-life the accuracy may decrease," Roy told Rediff.com. "But if we can attack even 10 per cent of the users in the five attempts allowed by most mobile phones, that will represent a real threat to the users."
This isn't the easiest of hacks -- yet -- but she cautioned, "With sufficient engineering and machine learning knowledge, it may not be very hard for an experienced/skilled hacker to create a MasterPrint with reasonable accuracy."
As our dependence on fingerprint-based technology grows, how worried are the researchers about security measures staying ahead of or even keeping up with hackers?
"It will be the responsibility of the concerned industries to make their system more robust" Roy said. "It is a continuous process of identifying the loopholes of existing techniques and developing solutions to make the authentication systems more robust."
"My current research is only questioning the security of existing fingerprint-based systems; it doesn't provide any solution yet," she added. "That might be my future project."
Until that happens, Roy practices what she recommends: A multi-factor authentication system combining a PIN-based password and fingerprints.
How to make phones safer
- Use full fingerprints
Aditi Roy told Rediff.com, "We found just one full-fingerprint MasterPrint in a sample of 800 full fingerprints. Thus, it is evident that there's a much greater chance of falsely matching a partial print than a full one."
- Multi-factor authentication
Nasir Memon, told NYU News, 'One way to address this problem is to ask for the PIN if the phone has been idle for a good length of time. Instead of just after the phone has been turned off and on, the PIN should be requested if the phone has been idle for two hours, three hours, and the fingerprint should not be allowed to unlock it.'
- Higher sensor resolution
Arun Ross, a BITS-Pilani alumnus, Michigan State University Professor of Computer Science and Engineering and the third team member, said, 'As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features.'
'If resolution is not improved, the distinctiveness of a user's fingerprint will be inevitably compromised. The empirical analysis conducted in this research clearly substantiates this.'
