How Mobile Fingerprint Scanners Can Fail
This week a major mobile carrier unveiled a new line of phones secured with fingerprint scanners. While there’s the convenience of merely pressing your finger to gain access to a device, there’s a recognized trade-off for security; Biometrics are not yet reliable today. And, unlike passwords, which you can change, or two factor authentication which usually requires a password and something you have like a card or a phone, fingerprints can’t be changed after a compromise.
What’s really happening when you scan your fingerprint? Under the hood the fingerprint scanner usually doesn’t capture the entire print but looks instead for points of individuality. Say a fingerprint scanner captures eight or ten unique points, these points are converted into numbers and then via an algorithm into a hash. It is this hash that is stored either locally (on the device) or externally (in the cloud).
In theory hashes are one-way algorithms that can’t be reversed. Unfortunately, Moore’s Law applies with a vengeance here and in time faster, less expensive processors will render today's hashes trivial. But let’s assume the hash is pretty robust—-how easy is it then to get a specific fingerprint for a device you want to access?
Depending upon what’s one the other side of the lock, having more fingerprint scanners in the world might lead to people to start cutting off fingers in order to gain access. How likely is that? In my book, When Gadgets Betray Us, I chronicle the bizarre case of K. Kmaran, a Kula Lumpur accountant and carjacking victim, whose severed finger was used to gain access to his biometrically-protected $75,000 second-hand S-Class.
Biometrics companies responded by checking for lividity—in other words, the fingerprint must be warm and moist at the time of the scan, except there’s another problem. Even if your finger remains intact, still on your hand, your fingerprints are everywhere and some prints are recoverable with relative ease. For example, someone might lift a fingerprint off a CD case lying on your desk in your office and make a latex impression from it.
Sound far fetched? Take a look at this clip from MythBusters.
As the video shows, heat and moisture checking can be defeated by licking the image or by producing a latex mold over a live, warm finger. True, most people won’t have access to all the materials that the MythBusters team uses, but a determined attacker might. Again, it all depends what’s on the other side of the lock; if it’s a corporate mobile phone, it might be worth someone’s time.
In the real world Japanese ATMs have been using fingerprint scanners for years. They use vein-pattern recognition, which goes beyond the surface-level fingerprint and instead recognizes the unique pattern of veins within the digit. This circumvents both the use of latent prints and the lividity question. But the ATMs also combine finger scans with traditional two-factor security of a card and a PIN. This has proven to be very effective over the years and should this system be compromised, if your fingerprint is for example widely distributed in the media—-as happened to former German Interior Minister, Wolfgang Schauble, in 2008--you can at least change your card and/or your PIN.
With the current mobile phone technology we’re not talking about multi-factor authentication. Not yet. Perhaps, after a few mobile device-level hacks, however, that will change.