New research has found that your fingerprints can be imitated based on the sounds they make on a touchscreen, and then used to attack biometric security measures.
While this sounds like something straight out of the plot of a budget spy movie, the findings (PDF) from a team of researchers from the US and China found that by using this technique they could “crack up to 27.9% of partial fingerprints and 9.3% of full fingerprints within five attempts using the highest security FAR (False Acceptance Rate) setting of 0.01%.”
The technique uses a side-channel attack called PrintListener to match an individual’s fingerprint with a MasterPrint or DeepMasterPrint dictionary to trick the Automatic Fingerprint Identification System (AFIS) into detecting a legitimate and authorized fingerprint.
Finger rubbing is now a safety hazard
The team of researchers tested their PrintListener technique “in real-world scenarios” that resulted in successful attacks using both partial and full fingerprints, significantly surpassing the success rates of MasterPrint dictionary attacks.
As you would expect, the sophistication of the PrintListener algorithms is enormous, with a very complex workflow required to generate a fingerprint from isolated friction sounds mixed with the background noise of a Discord or FaceTime call.
Physiological and behavioral factors must then be taken into account, as they can influence the sound a finger makes on a screen, which the researchers addressed by using a technique known as minimum redundancy maximum relevance (mRMR), in addition to an adaptive weighting strategy.
These techniques identify the features of the left loop, right loop, and whorl of a fingerprint based on the friction noise characteristics that can then be used to generate synthetic fingerprints. In one in four attacks, the PrintListener technique was able to successfully attack AFIS using partial fingerprints, and in almost one in ten cases using full fingerprints.
There are major concerns about threat actors using photos of individuals’ hands to circumvent biometric identification measures, with some people taking extra care when taking photos.
Through Tom’s hardware