Smartphone Fingerprint Scanners: Are They Secure?
There are plenty of security threats to watch out for in 2016, and as you may have noticed, your smartphone can increasingly expose you to hacking, eavesdropping, and other exploits. So when news broke that researchers have found a cheap and easy way to create fake fingerprints that can fool a smartphone’s fingerprint reader, plenty of people began asking themselves: is it really safe to use your smartphone’s fingerprint scanner to unlock your device and all of the sensitive data you store on it?
Kaveh Waddell reports for The Atlantic that while it’s not new or surprising that a determined attacker could produce fake fingerprints to fool a smartphone’s reader, the newest method is easy and cheap, and can be replicated in just about anyone’s home office. Michigan State University’s Kai Cao and Anil K. Jain explained in a paper — called “Hacking Mobile Phones Using 2D Printed Fingerprints” (PDF) — that just a few days after Apple released the iPhone 5s, Germany’s Chaos Computer Club successfully fooled the TouchID sensor via a process that requires significant time and effort.
So Cao and Jain devised a simpler way to produce a fake fingerprint, using a 2D fingerprint image printed on a special paper with a standard inkjet printer, and successfully fooled a Samsung Galaxy S6 and a Huawei Honor 7. (As Joon Ian Wong reports for Quartz, the researchers also tried the spoof on an iPhone 5s and a Meizu MX4 Pro, with mixed results.) The researchers used special ink cartridges and paper from a Japanese company called AgIC. The ink can conduct electricity when printed on the specialized paper, creating a printed circuit. They scanned a fingerprint in high resolution, mirrored it, and printed it with a Brother inkjet printer.
The researchers then placed the fake fingerprint on the readers of the two popular Android phones, which were set to unlock with the owner’s real fingerprint, and the fake version of the finger fooled them. They write:
This experiment further confirms the urgent need for anti- spoofing techniques for fingerprint recognition systems, especially for mobile devices which are being increasingly used for unlocking the phone and for payment. It should be noted that not all the mobile phones can be hacked using proposed method. As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies not just for fingerprints, but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice).
Approximately 50% of smartphones sold by 2019 are expected to integrate an embedded fingerprint sensor, and the number of fingerprint sensors embedded in devices is projected to grow from 499 million in 2015 to 1.6 billion units in 2020, according to market research firm IHS. As services like Apple Pay, Android Pay, and Samsung Pay gain traction, fingerprint authentication is being used not only to unlock smartphones, but to make secure mobile payments and authenticate other transactions, potentially including things like large bank transfers. Some companies say they have technology that will prevent spoofs like these from working, like Goodix, which has a sensor that detects a user’s blood flow and therefore prevents 2D or 3D printouts from unlocking a phone.
But as data breaches grow more and more common, millions have already had their fingerprint information stolen — something that’s likely to happen again in the future. Waddell notes that the easy fingerprint-spoofing method is particularly worrisome in the wake of a major breach suffered by the Office of Personnel Management. 22 million people had sensitive personal data — like Social Security numbers, health and financial records, names of relatives, and past addresses — exposed, and 5.6 million also had their fingerprints stolen. Even if you think it’s unlikely that criminals will be able to get a hold of your fingerprints (and your smartphone), it’s worth pointing out that once a fingerprint has been stolen, you can’t reset it in the same way you would a password.
So should you forego the fingerprint authentication and just opt to unlock your phone the old-fashioned way? There are plenty of people who think it isn’t worth the risk. Joseph Steinberg reported for Forbes last year that not only are fingerprint readers often tricked by lifted fingerprints, but there are also some unwelcome legal ramifications of securing your phone with your fingerprint. In many jurisdictions, police agencies have the right to force you to unlock your phone if you secure it with a fingerprint, something they can’t force you to do if you secure your phone with a password.
Kevin Downey reports for Komando that some smartphones even have poorly protected fingerprint sensors and don’t properly encrypt your fingerprint data. That means that criminals could easily gain access to your fingerprint right from your phone. Despite assurances that your fingerprint data is never actually transmitted from your phone, and is processed in an area separate from the operating system, there’s always a risk of vulnerabilities that make it possible for criminals to find ways to access the data.
For many people, securing their smartphones with a fingerprint is more secure than using a passcode, particularly when users tend to opt for simple and insecure passcodes for the sake of convenience. If you want to use your smartphone’s fingerprint reader, then there are a few ways you can protect your security. Consider using the fingerprint not of your thumb or index finger, but of a less obvious choice, like the ring finger or pinky finger on your non-dominant hand. And avoid using fingerprint authentication to get into the app for your bank or PayPal account, and opt instead for a secure and unique password.