‘PrintListener’ Attack on Fingerprint Readers — Can You Trust Biometrics?🤞
Researchers reconstruct your fingerprint by listening to you swipe.
Can scrotes steal your fingerprints just by eavesdropping? An academic paper claims they can. Although accuracy isn’t perfect—yet.
As more and more sensitive stuff is secured behind biometrics, it’s a bit of a worry. In today’s SB Blogwatch, we deregister our swiping fingers.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Analog Valkyries.
Mic Check
What’s the craic? Mark Tyson broke the story—“New side channel can reproduce fingerprints”:
“Complicated science”
Biometric fingerprint security is widespread and widely trusted. … It is thought that the fingerprint authentication market will be worth nearly $100 billion by 2032. However, organizations and people have become increasingly aware that attackers might want to steal their fingerprints, so some have started to be careful about keeping their fingerprints out of sight.
…
The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc.—any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name: PrintListener.
…
A group of researchers … proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). … This is claimed to be the first work that leverages swiping sounds to infer fingerprint information. [But] there is some complicated science behind the inner workings.
Complicated? I bet it is. Nathan Ord calls it a “Touchscreen Nightmare”:
“Raises some interesting questions”
We already know that your sensitive information, such as passwords, can be nabbed by listening to your keystrokes. … Now a team of Chinese and United States researchers, some hailing from the University of Colorado Denver and the Huazhong University of Science and Technology, China, have shown that it is possible to capture partial fingerprints using “finger friction sound.”
…
These sounds can then be fed into a prediction model to reconstruct fingerprint images. While not a perfect system, … research into this area could be incredibly useful … for improving fingerprint technology. [And] it raises some interesting questions about what we generally trust to be secure.
Horse’s mouth? Man Zhou, Shuao Su, Qian Wang, Qi Li, Yuting Zhou, Xiaojing Ma and Zhengxiong Li—“Vulnerability of Fingerprint Authentication”:
“Strong attack power”
Fingerprint leakage may cause sensitive information theft, enormous economic and personnel losses, and even a potential compromise of national security. … The attack scenario of PrintListener is extensive and covert.
…
PrintListener separates weak frictional sounds … and obtains the first-level feature (fingerprint pattern) of fingerprints through the wide and deep combined prediction model. Further, PrintListener uses the random restart hill-climbing algorithm to synthesize the second-level feature (the position and direction of minutiae) of fingerprints that correspond to the inferred first-level feature, … which are the basis for fingerprint authentication. In addition, the synthesized fingerprint minutiae templates can also be used to reconstruct fingerprint images.
…
PrintListener can automatically capture the pattern features of fingerprints from a large number of raw recordings and generate targeted synthetic PatternMasterPrints. Extensive experimental results in real-world scenarios show that Printlistener has strong attack power on fingerprint authentication: … Up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security … setting.
Is this really such a big deal? nonrandomstring identifies the pachyderm in the parlor:
Why bother when you can pick them up from any doorhandle, coffee cup, pen, table surface, or just a photograph at super high-res? Biometrics are form of (dubious) in-person identification, and their use for access control belongs in the all-time stupidest ideas in computing list: … Tomorrow you will still have the same fingerprints.
…
[However], if you have a database, you could ID a remote user from swipes. That’s a [law enforcement] win.
Simple solution: Cut off your fingers. devslash0 goes further:
Biometrics are faulty by design. If your password gets compromised, you can change it. However, if your biometrics leak, they will remain in the open forever.
…
It gets even worse, since … biometrics are taken as the source of ultimate truth, you will have no way whatsoever to prove that the person who used your biometrics was not you but a criminal. All this makes biometrics a very bad choice for any form of authentication.
Wait. Pause. u/AzDopefish thinks it smells fishy:
Who swipes with their entire finger? … I pretty much just use the tips of my thumbs for swiping or typing. No way they’re getting a full fingerprint off that.
But but but … something-something entropy? TeMPOraL has no time for that: [You’re fired—Ed.]
[It’s] a good reminder that everything you do radiates information about it all the time, everywhere.
The perfect is the enemy of the good. Trust AmiMoJo to cut to the chase:
All forms of authentication are a trade-off. Sometimes the downside is as simple as it being inconvenient for the user, resulting in them working around it. If you implement a strict, cumbersome authentication system … your users will just write their passwords on post-it notes.
Fingerprints are convenient and effective against most of the threats that people face regularly – theft. [But] if you are the target of the CIA or MI6, you probably shouldn’t keep anything important on a phone … regardless of what authentication you set up.
Meanwhile, u/sysdmdotcpl doesn’t sound worried:
My phone can still barely tell if my finger is on it, if it’s too sweaty, or too dirty (or even too clean, now that I think about it).
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Alex “slavewire” Sheldon (via Unsplash; leveled and cropped)