Attackers Can Bypass Fingerprint Authentication With an 80 Percent Success Rate (arstechnica.com) 47
An anonymous reader quotes a report from Ars Technica: A study published on Wednesday by Cisco's Talos security group makes clear that the alternative isn't suitable for everyone -- namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.
The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries. Tuesday's report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack -- which involved obtaining a clean image of a target's fingerprint and then getting physical access to the target's device -- meant that only the most determined and capable adversaries would succeed. The most susceptible devices were the AICase padlock and Huawei's Honor 7x and Samsung's Note 9 Android phones, "all of which were bypassed 100 percent of the time," the report says. "Fingerprint authentication in the iPhone 8, MacBook Pro 2018, and the Samsung S10 came next, where the success rate was more than 90 percent. Five laptop models running Windows 10 and two USB drives -- the Verbatim Fingerprint Secure and the Lexar Jumpdrive F35 -- performed the best, with researchers achieving a 0-percent success rate."
The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries. Tuesday's report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack -- which involved obtaining a clean image of a target's fingerprint and then getting physical access to the target's device -- meant that only the most determined and capable adversaries would succeed. The most susceptible devices were the AICase padlock and Huawei's Honor 7x and Samsung's Note 9 Android phones, "all of which were bypassed 100 percent of the time," the report says. "Fingerprint authentication in the iPhone 8, MacBook Pro 2018, and the Samsung S10 came next, where the success rate was more than 90 percent. Five laptop models running Windows 10 and two USB drives -- the Verbatim Fingerprint Secure and the Lexar Jumpdrive F35 -- performed the best, with researchers achieving a 0-percent success rate."
Re: (Score:2, Funny)
That sounds like the 'Sex Panther' from Anchorman
Brian Fantana: They’ve done studies, you know. 60% of the time, it works every time.
No auth! (Score:2)
I use fingerprint auth in situations where I'd prefer not to use auth at all but something (such as my employer) forces me to. For example, I don't really want to authenticate on leaving the 10-minute forced screen saver but at least fingerprint makes it painless.
So frankly I don't care how bad it is because from my perspective it's not protecting anything anyway.
Re: (Score:1)
Fingerprint scanners have always been easy to fool. I used to work for a biometric lock company about 20 years ago and the techniques are unchanged.
You can only change your fingerprint so many times before you run out of fingers. You can change a password infinitely. If your organisation requires a password change every month and doesn't allow password reuse, then you'll be out of options before a year is out if you use fingerprints.
In addition, anyone can simply force you to unlock something with your fing
Re:No auth! (Score:5, Insightful)
I'm pretty sure anyone willing to cut my finger off is going to succeed at getting me to reveal my password.
Re: (Score:2)
I'm pretty sure anyone willing to cut my finger off is going to succeed at getting me to reveal my password.
Actually, cutting off e finger just requires a moment of extreme brutality. Torturing somebody competently is a whole different game that requires subtlety and insight and it seems to fail more often than not.
FaceID way more secure (Score:1)
Although I think the Apple fingerprint detectors are probably more reliable, this study goes to show that FaceID is a way more secure approach.
Re: (Score:3)
Biometrics = usernames, not passwords (Score:4, Insightful)
Fingerprints and faces are great at saying "this is who I am". Just like the username part of a login form.
They're not at all secret, so should in no way replace the password part.
Re: (Score:3)
According to TFA it took them months to get a working mould to reach this 80% success rate. Half decent implementations of fingerprint unlock will lock you out after say 5 failed attempts so this attack is impractical.
In practice fingerprint unlock is fine for almost everyone. On my Pixel is periodically demands the password instead (usually as I'm trying to pay for something at the checkout) or if it fails to read a few times. If I'm in a jam I can just hold the power button until the phone shuts down and
Re: (Score:2)
According to TFA it took them months to get a working mould to reach this 80% success rate. Half decent implementations of fingerprint unlock will lock you out after say 5 failed attempts so this attack is impractical.
iOS devices require the passcode every four days, and after five failed attempts. So if you steal my phone you must unlock it with a fake fingerprint in five attempts within 4 days. So it's not just the 5 failed attempts, but also the time limit.
I'd really like a precise description of these guys' methodology. Anything that requires knowledge of my passcode to work is obviously nonsense - if you have my passcode, you don't need to forge my finger print, you just record your own one.
Re: (Score:2)
They describe it in detail in the paper. It's not practical against a Google or Apple phone because of the limits you mention. Other devices with looser limits may be vulnerable but it still took them a long time and a lot of effort to get something working.
Re: (Score:2)
If you're the sort of person that absolutely, positively needs to keep secrets because of [reasons], yeah, password all the way. But that's not what the biometrics on phones are for. It's so that you actually USE a passcode at all, to keep any sense of security on your phone to dissuade casual snooping and post-theft reselling of your device—most people that pluck it out of your pocket on a subway aren't going to have the tools necessary to make a cast of your fingerprint.
Biometrics are fine for the p
Re: (Score:2)
Do you have a PAM config example that actually does this?
Re: (Score:2)
Biometrics should replace the Username, not the Password.
Fingerprints and faces are great at saying "this is who I am". Just like the username part of a login form.
They're not at all secret, so should in no way replace the password part.
Indeed. Biometrics is _identification_, not _authentication_. Identification is a claim of identity, authentication if a proof for such a claim to be true. The whole misunderstanding results from people assuming their physical characteristics not only being unique, but impossible to fake. That is very much not the case.
Re: (Score:3)
It depends. You donâ(TM)t leave iris scans, retina scans and palm vein scans everywhere you go. They still have the issue of being impossible to change if theyâ(TM)re compromised, but they aren't anywhere near as bad as fingerprints (left everywhere) and face scan (easy to clone from a few photos).
Re: (Score:3)
Biometric locks are highly effective against the kind of lowlife who'd run off with my phone, so I'm happy with FaceId.
Riiight... (Score:1)
Like that time the *son* could unlock it. The son of his *mother*!
No, if you even for one second think biometrics could ever be secure, then please tattoo your private key onto your forehead, and argue it's safe because it is moderately complex.
I mean it's *really* not that it takes a lot of comprehension, to get why it can never work.
finger fucked (Score:1)
And how would you know that? (Score:1)
Got cheated on, then denied? :D
This is news? (Score:1)
Sorry, if I had know, I would have told you 2 years ago when we did something like that for a client...
But seriously, circumventing fingerprint sensors ain't been "news" for a long time.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
If you've ever tried to use a fingerprint reader on a laptop, then it's obvious.
The fake had 0% success rate because the real fingerprint has 0% success rate.
Re: (Score:2)
That bad? Interesting.
Re: (Score:2)
Microsoft probably has (again) ignored all existing research and did something home-cooked. Likely even easier to bypass, but you need a different technique.
Re: (Score:2)
Indeed, I read about 30 years ago about a Japanese professor doing this. This is not new at all.
Amazing Samsung A70 0-percent failure rate (Score:2, Informative)
One other product tested—a Samsung A70—also attained a 0-percent failure rate, but researchers attributed this to the difficulty getting authentication to work even when it received input from real fingerprints that had been enrolled.
Re: (Score:1)
Re: (Score:1)
Biometrics for authentication is a joke (Score:2)
Non-clickbait headline (Score:1)
No, it really fucking isn't. (Score:1)
It's snake oil for the hoplelessly clueless.
I suggest at least reading TFS. ;)
Re: (Score:1)
From TFS:
Most people's passwords can be broken in a fraction of that time.
So yes, it is great for most people.
Not everything has to be 100% effective against 100% of attacks to be useful.
Re: (Score:2)
"“The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
"Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obta
Re: (Score:2)
Tuesdayâ(TM)s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work.
On an iOS device, you have no more than 4 days and 5 attempts. The 4 days don't start when you steal my phone, they start when I last used the passcode. So on average you have only two days.
Now what will they do? (Score:1)
Rats! What will bad guys do to generate drama if there's no need to cut off fingers?
Clean fingerprints are NOT hard to get. (Score:3, Interesting)
In Germany, when fingerprints were introduced to the new digital passports, the Chaos Computer Club lifted such a clean one of the very politician that pushed this through, off a glass he left at a cafe.
(They produced to create a fake passport for him, proving that the whole thing was in vain, except for the totalitarianism.)
Also, they say "painstakingly", yet it cost them only $2000.
And now that the basic research is done, duration and cost will have come down a lot. I figure I any layperson could do it for a fraction of the price, if he can read their full report, or somebody else repeats it and publishes his report.
Much Ado About (Almost) Nothing (Score:2)
We already knew this. From TFA:
"“The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
Also some context from TFA:
"Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also note
Is this a real world problem at all? (Score:3)
This sort of authentication was never meant to stifle state-sponsored actors or concerted attempts at cracking. As the article says, "The study also noted that the demands of the attack -- which involved obtaining a clean image of a target's fingerprint and then getting physical access to the target's device -- meant that only the most determined and capable adversaries would succeed."
Look at a typical PIN, for example, which is the go to way to protect your debit card. It's 4 digits: 10,000 possibilities, trivial to hack. Laughable even. But that doesn't mean it is not useful. If the NSA or the Ruskies can hack my debit card, is that the end of the world? Will it get them into Ft. Knox? At this level it's all fun and games, another cool way to solve a Rubik's Cube. Knock yourself out, bro. Have fun.
Well biometry is like a password... (Score:2)
... you cannot choose or change, but tell everybody around you constantly and it doesn't matter if you get it slightly wrong. The security of it depends on the sensor somehow magically measuring properties of you that cannot be faked.
problem (Score:2)
researchers find security authentication issue, but can't quite put a finger on it.
Fingerprint - just works (Score:2)
Electrician's tape goes over every monitor camera. Who wants to wear a tinfoil hat all the time, taping over their cell phone screen lens?
Fingerprint is enough to put you behind bars. You think you need better security than the US justice system?
Whatever limitation fingerprint embodies, surely there's a Phd, polymath or ME who can better its success rate to 100%. /////////// sidebar ///////////
Apple WWDC circa 1994 in queue waiting for doors to open in SFO, exchanging ideas with the Dev ahead of me. He b