Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows (theguardian.com) 64
schwit1 shares a report: Researchers have used a neural network to generate artificial fingerprints that work as a "master key" for biometric identification systems and prove fake fingerprints can be created. According to a paper [PDF] presented at a security conference in Los Angeles, the artificially generated fingerprints, dubbed "DeepMasterPrints" by the researchers from New York University, were able to imitate more than one in five fingerprints in a biometric system that should only have an error rate of one in a thousand.
The researchers, led by NYU's Philip Bontrager, say that "the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis." As with much security research, demonstrating flaws in existing authentication systems is considered to be an important part of developing more secure replacements in the future. In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner.
The researchers, led by NYU's Philip Bontrager, say that "the underlying method is likely to have broad applications in fingerprint security as well as fingerprint synthesis." As with much security research, demonstrating flaws in existing authentication systems is considered to be an important part of developing more secure replacements in the future. In order to work, the DeepMasterPrints take advantage of two properties of fingerprint-based authentication systems. The first is that, for ergonomic reasons, most fingerprint readers do not read the entire finger at once, instead imaging whichever part of the finger touches the scanner.
Re: (Score:2)
They did demonstrate that it isn't particularly hard to fool simple fingerprint scanners. I mean, they used a simple photocopy of a fingerprint. Granted, those were fairly simple scanners, but it isn't too hard to imagine similar techniques working with more advanced scanners. I've also seen some presentations by physical penetration testers that were able to lift fingerprints and fool fingerprint locks, though they often simply bypassed the reader altogether.
Re: (Score:2)
A silicone molding works on TouchID and I assume other capacitive scanners. It might also be possible to lift a print off a shiny surface with a bit more luck/skill/equipment too: https://youtu.be/2u4ZLGsw1zo?t... [youtu.be]
Re: (Score:3)
Also interesting, the most expensive one tested was the easiest to fool.
Re: (Score:2)
The mythbusters demonstrated copying a fingerprint known to be accepted by the scanner. This is a skeleton key created fingerprint that has about a 20% chance of working even if you don't have a fingerprint to copy.
Fingerprints are lousy ID (Score:1)
Can't change them. Can't revoke them. You leave a copy of them around on everything you touch. Why do people still use these for identification?
Re: (Score:2)
There's even a commercial on TV now about how great the fingerprint password system is on their laptop... that they show off by having a child use your fingerprint while you're asleep. See, you don't even have to get woken up or supervise your kids to authorize them for whatever they want.
Re: (Score:3)
Prior Art (Score:2, Insightful)
James Bond
Myth Busters...
It's been done. Finger print scanners are NOT secure.
Having said that, I too have developed a "don't give a fuck attitude" towards the insecurity. It's just too convenient to touch my PC or phone and have it unlock.
I use it. I know it's wrong, but...
Re: (Score:2)
Pretty much, yeah. The biggest flaw in the security of modern phones is that it is binary. You either have full access to the device or you don't.
On my laptop, I can create encrypted volumes that provide restricted access to things like financial records, and use different passwords. The fingerprint reader can't provide access to those.
I can even put entire applications inside those containers, if there were some valid reason to do so, and symlink the apps' sandbox container directories into the encrypte
Re: (Score:3)
Re: (Score:2)
Myth Busters...
Myth Busters made a copy of a real fingerprint. These guys generated an image of a fingerprint that was close enough to unlock the phone.....without knowing what the original fingerprint looked like.
That's why they call it the "master key" fingerprint....because it can unlock the phone like a ghost key. They used the adversarial neural network to find weaknesses in the fingerprint identification algorithm. Basically, some features of fingerprints are more common than others.
Re: (Score:2)
Sometimes it pays off to RTFA or even just the summary, doesn't it.
I haven't really considered fingerprints to be a very secure to begin with, due to the possibility of copying the prints or even just some goon forcefully pushing your thumb into the scanner. Still, it was "good enough" for most cases and to CYA from the corporate overlords who require the phone to be locked. This just makes it completely useless against any professional attacker and maybe even Joe Blow the phone thief, if the method can be
Re: (Score:2)
Consider the security difference between a passphrase and a fingerprint. You can use different passphrases for different sites but your fingerprint, give it away once to some fuckhead corporation and they have it for life and it can be sold to whomever wants to buy. So yeah, password has been compromised change it once at that location, so what the fuck do you do if you fingerprint has been compromised, for the rest of your fucking life, hmmm.
I'm sure governments have known this for awhile (Score:2)
I have similar worries in regard to the proliferation of 'deep fakes' and other methods of realistic video editing that is indistinguishable from original recordings.
I imagine we will deal with these issues to the best of our ability as time goes on, but "Damn future, you scary!"
Re: (Score:1)
I don't think this would be very helpful for framing anyone; the goal is completely different. The goal when framing somebody is to create a unique match, while this technique creates a fingerprint that matches something like 20% of the database. If you could manage to plant one of these fingerprints, it might well match the person you're trying to frame, but it would match many other people who you aren't trying to fra
Re: (Score:2)
Fingerprint analysis is normally limited to returning a "match"/"no match" on the suspect. So, if you didn't have an example of the fingerprint, it's a 20% chance of working.
Re: (Score:1)
Actually, fingerprint evidence is used in a number of ways. One way is to get a match vs no match on the suspect. Another way is to query a fingerprint database to find a list of possible suspects. The key is that the defendant is allowed to have their expert look at the evidence, so the person trying to frame them can't control and make sure it's only used for match/no match. If the defendant's expert uses it to query the database and finds it's a match to 20% of the fingerprints there, you have instan
Re: (Score:2)
That's true, if the person you're framing has resources. Otherwise, it works 20% of the time. And given that something like 1/4 of Americans cannot put together $400 in an emergency, you have a 8% chance of it working.
Along similar lines... (Score:2)
Ahead of the curve (Score:1)
Maybe the Orange Dude is right: everything is becoming fake, rigged, and/or bugged.
He's not paranoid, he's a profi...prophet.
Research shows? (Score:3, Insightful)
What the hell was wrong with "common sense shows"? It's a hell of a lot cheaper.
Re: (Score:2)
This needed research? (Score:2)
Why did this need to be researched? We've known about this as long as we've had the technology.
Next thing you know, FaceID will be hacked (Score:2)
Oh, wait, it already is.
Look, the main problem is one of tuning. Fingerprints are just 3D printed objects, and many scanners aren't that bright. In the old days we could just do a ridge pattern on plastic to throw them, now we have to emulate the ridges for the fancier detection devices. Still takes us less than 60 seconds, of course.
Deep vein scan (Score:2)
>"Fake Fingerprints Can Imitate Real Ones In Biometric Systems, Research Shows"
Which is one of MANY reasons why fingerprints should not be used for "real" security- it isn't really secure.
Further, using fingerprints (or worse, DNA) and allowing a third-party to have access to that data is unacceptable. Not only because the government and big business should have no need to indiscriminately track what people are doing all the time but because they should not have fingerprint registration data (which will
Re: (Score:2)
>No harder to fake than a finger print. Just a bit harder to get the raw data...
That is incorrect on both counts. It is much, much, much, much harder to get the raw data or fake for a variety of reasons. Not the least of which is that people don't normally have their palms in contact with things as much as fingers, and don't have them facing outwards towards possible collection devices and can't just leave deep vein patterns lying around for people to collect. And the thermal imaging being done needs
This is not a password this is an ID (Score:1)
It is clearly not ! This is simply an easier/convenient way to identify yourself, the equivalent of your good old login name. Full stop. any attempt to use biometrics beyond this point is just utterly stupid.