Are Smartphone Biometrics Hackable?

Xplorion Thumbnail

The use of biometrics in unlocking smartphones has made the use of cell phones to be very convenient. Just a touch of a finger opens the phone without requiring to unlit ock by using a password or pattern.

You can also pay for shopping by using a fingerprint if you use Android Pay or Apple Pay.

Banks also use Prints when the user is required to press their finger biometrics inside a banking app to either transfer money or pay for bills.

Despite the convenience of such wizardly effects, there are still some left security gap holes left unfilled.

According to the findings published by researchers at Michigan State University and New York University, smartphones can be unlocked with fake biometrics that is digitally created by using several standard features found in human fingerprints.

The researchers from the two universities managed to create artificial Master Prints that matched with as much as 65% of the real human fingerprints.

However, the researcher did not use real phones to test the possibility of the master prints working.

Therefore, there could be a possibility that the artificial prints could not give the estimated results in real-life situations.

In this case, the use of fingerprints to unlock smartphones still stands to raise questions about their effectiveness and the security hole that could be possible.

Commenting on these findings, Andy Adler, a professor of systems and computer engineering, said that the results are not as worrisome as they are presently about smartphones’ security.

Professor Andy Adler is an expert in Biometric security systems at Carleton University in Canada.

Andy Adler continued that if one can get into 1 out of 10 phones to access some stuff, then those are not bad odds and cannot solely determine the insecurity level of biometrics in smartphones.

It is tough to fake full human biometrics, but the print scanners used in smartphones are too small to accommodate the entire human thumbprints, subjecting them only to scan a section of it.

When you set up fingerprint security on your Apple iPhone or any other phone that uses Google’s Android systems, it takes over 8 sample images of your finger so that it can be easy to make a match when you place your finger to unlock it.

Moreover, some users may use more than one finger, the forefinger, and the thumb of each hand. Since a swipe of a finger requires matching only one image, then there is a possibility for the system to be unlocked by using falsified prints.

Commenting on the issue, Nasir Memon, a professor and expert of Computer science and engineering at New York University’s Tandon School of Engineering, said to false the biometrics in smartphones is like having over 30 passwords, and you only need to match at least one of them so that the phone can unlock.

Nasir Memon was among the three authors of the research study published in IEEE Translations on Information Forensics and Security.

His co-authors include a computer science and engineering professor at Michigan State, Arun Ross, and a postdoctoral fellow at New York University’s Tandon School of Engineering, Aditi Roy.

Dr. Nasir Memon further said that they found that if one could come up with a magic glove containing MasterPrints, it could be possible to get into about 50% of iPhones within the allowed five trials before the smartphone requests for the numeric password.

This password is commonly known as a personal identification number, and it is hard to fake it.

Responding to the findings, the Apple company spokesperson, Ryan James, said that the possibility of faking the iPhone fingerprints was 1 out of 50,000 smartphones if only one finger were enrolled.

He continued to reveal that the firm had tested various possible attacks when developing the Touch ID system.

He also said that the company incorporated several more security features to minimize falsifying the biometrics. Google did not comment on the matter.

It is difficult to quantify the actual risk. It should also be noted that Apple and Google keep almost all the useful details of their biometric technology secret.

Therefore, various Android Phone companies can employ the standard design used by Google in approaches that minimize the security levels.

Phone manufacturers acknowledged that biometrics sensors in smartphones are not foolproof.

They related the scenario with the indication that many users prefer turning on security features on their phones instead of leaving them unlocked due to the ease of touching a finger to unlock.

They termed the instance a typical scenario in the early days of smartphones.

Dr. Ross acknowledged the limitations found in work, saying that most phone vendors did not give them access to the fingerprint image.

He continued that a spy or thief needed a lot of additional work to use Master prints to unlock a smartphone. He supported his comment by saying that one has to fake fingers to accomplish their mission.

The fundamental finding, in this case, was that there is a vulnerability in partial fingerprints that can be spoofed.

Dr. Chris Boehnen supported the possibility of the finding, saying that it was still significant. Chris Boehnen is the manager of the federal government’s Odin program.

The program is tasked with studying how to defeat biometric security attacks to learn about the Intelligence Advanced Research Projects Activity.

Dr. Chris Boehnen continued to say that the primary concern is that one can pick a random smartphone only to find that the barrier to getting into it is significantly low.

Dr. Boehnen also said that phone makers could tighten the security by hardening the possibility to match partial fingerprints.

According to him, most phone companies are worried that the customer may be annoyed for putting the finger against the phone more than once than with a thief or spy getting into it.

Author Bio:

Creator of HDD Mag, lover of comic books (Especially Dr. Strange), horror movies, and video games. In my spare time, I’m either reading them, watching them or playing them!

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like