Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Privacy

Attackers Can Bypass Fingerprint Authentication With an 80 Percent Success Rate (arstechnica.com) 47

Posted by BeauHD from the not-for-everyone dept.
An anonymous reader quotes a report from Ars Technica: A study published on Wednesday by Cisco's Talos security group makes clear that the alternative isn't suitable for everyone -- namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries. Tuesday's report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack -- which involved obtaining a clean image of a target's fingerprint and then getting physical access to the target's device -- meant that only the most determined and capable adversaries would succeed. The most susceptible devices were the AICase padlock and Huawei's Honor 7x and Samsung's Note 9 Android phones, "all of which were bypassed 100 percent of the time," the report says. "Fingerprint authentication in the iPhone 8, MacBook Pro 2018, and the Samsung S10 came next, where the success rate was more than 90 percent. Five laptop models running Windows 10 and two USB drives -- the Verbatim Fingerprint Secure and the Lexar Jumpdrive F35 -- performed the best, with researchers achieving a 0-percent success rate."
This discussion has been archived. No new comments can be posted.

Attackers Can Bypass Fingerprint Authentication With an 80 Percent Success Rate More

Attackers Can Bypass Fingerprint Authentication With an 80 Percent Success Rate

Comments Filter:

  • I use fingerprint auth in situations where I'd prefer not to use auth at all but something (such as my employer) forces me to. For example, I don't really want to authenticate on leaving the 10-minute forced screen saver but at least fingerprint makes it painless.

    So frankly I don't care how bad it is because from my perspective it's not protecting anything anyway.

    • Re: (Score:1)

      by Anonymous Coward

      Fingerprint scanners have always been easy to fool. I used to work for a biometric lock company about 20 years ago and the techniques are unchanged.

      You can only change your fingerprint so many times before you run out of fingers. You can change a password infinitely. If your organisation requires a password change every month and doesn't allow password reuse, then you'll be out of options before a year is out if you use fingerprints.

      In addition, anyone can simply force you to unlock something with your fing

      • Re:No auth! (Score:5, Insightful)

        by Spazmania ( 174582 ) on Wednesday April 08, 2020 @09:49PM (#59923728) Homepage

        I'm pretty sure anyone willing to cut my finger off is going to succeed at getting me to reveal my password.

        • Re: (Score:2)

          by gweihir ( 88907 )

          I'm pretty sure anyone willing to cut my finger off is going to succeed at getting me to reveal my password.

          Actually, cutting off e finger just requires a moment of extreme brutality. Torturing somebody competently is a whole different game that requires subtlety and insight and it seems to fail more often than not.

  • Although I think the Apple fingerprint detectors are probably more reliable, this study goes to show that FaceID is a way more secure approach.

    • Biometrics is not secure. You leave your password everywhere you go.

      • Biometrics = usernames, not passwords (Score:4, Insightful)

        by ron_ivi ( 607351 ) <sdotno@cheapcomp ... s.com minus poet> on Wednesday April 08, 2020 @07:51PM (#59923488)
        Biometrics should replace the Username, not the Password.

        Fingerprints and faces are great at saying "this is who I am". Just like the username part of a login form.

        They're not at all secret, so should in no way replace the password part.

        • Re: (Score:3)

          by AmiMoJo ( 196126 )

          According to TFA it took them months to get a working mould to reach this 80% success rate. Half decent implementations of fingerprint unlock will lock you out after say 5 failed attempts so this attack is impractical.

          In practice fingerprint unlock is fine for almost everyone. On my Pixel is periodically demands the password instead (usually as I'm trying to pay for something at the checkout) or if it fails to read a few times. If I'm in a jam I can just hold the power button until the phone shuts down and

          • According to TFA it took them months to get a working mould to reach this 80% success rate. Half decent implementations of fingerprint unlock will lock you out after say 5 failed attempts so this attack is impractical.

            iOS devices require the passcode every four days, and after five failed attempts. So if you steal my phone you must unlock it with a fake fingerprint in five attempts within 4 days. So it's not just the 5 failed attempts, but also the time limit.

            I'd really like a precise description of these guys' methodology. Anything that requires knowledge of my passcode to work is obviously nonsense - if you have my passcode, you don't need to forge my finger print, you just record your own one.

            • Re: (Score:2)

              by AmiMoJo ( 196126 )

              They describe it in detail in the paper. It's not practical against a Google or Apple phone because of the limits you mention. Other devices with looser limits may be vulnerable but it still took them a long time and a lot of effort to get something working.

        • If you're the sort of person that absolutely, positively needs to keep secrets because of [reasons], yeah, password all the way. But that's not what the biometrics on phones are for. It's so that you actually USE a passcode at all, to keep any sense of security on your phone to dissuade casual snooping and post-theft reselling of your device—most people that pluck it out of your pocket on a subway aren't going to have the tools necessary to make a cast of your fingerprint.

          Biometrics are fine for the p

        • Do you have a PAM config example that actually does this?

        • Re: (Score:2)

          by gweihir ( 88907 )

          Biometrics should replace the Username, not the Password.

          Fingerprints and faces are great at saying "this is who I am". Just like the username part of a login form.

          They're not at all secret, so should in no way replace the password part.

          Indeed. Biometrics is _identification_, not _authentication_. Identification is a claim of identity, authentication if a proof for such a claim to be true. The whole misunderstanding results from people assuming their physical characteristics not only being unique, but impossible to fake. That is very much not the case.

      • Re: (Score:3)

        by _merlin ( 160982 )

        It depends. You donâ(TM)t leave iris scans, retina scans and palm vein scans everywhere you go. They still have the issue of being impossible to change if theyâ(TM)re compromised, but they aren't anywhere near as bad as fingerprints (left everywhere) and face scan (easy to clone from a few photos).

      • Re: (Score:3)

        by jimbo ( 1370 )

        Biometric locks are highly effective against the kind of lowlife who'd run off with my phone, so I'm happy with FaceId.

    • Like that time the *son* could unlock it. The son of his *mother*!

      No, if you even for one second think biometrics could ever be secure, then please tattoo your private key onto your forehead, and argue it's safe because it is moderately complex.
      I mean it's *really* not that it takes a lot of comprehension, to get why it can never work.

  • The researchers have a term for the vulnerable devices...

  • Sorry, if I had know, I would have told you 2 years ago when we did something like that for a client...

    But seriously, circumventing fingerprint sensors ain't been "news" for a long time.

    • I am surprised the Windows 10 implementation proved to be so robust. They made a serious effort and failed to beat it. It is surprising since, how do you fail to fake a fingerprint if you have a clean fingerprint to work with?

      • Re: (Score:1)

        by Anonymous Coward
        not really surprised, Microsoft have been doing research in this area for a lot longer than the rest of them and have released many products over decades improving it.

      • Re: (Score:2)

        by mabinogi ( 74033 )

        If you've ever tried to use a fingerprint reader on a laptop, then it's obvious.

        The fake had 0% success rate because the real fingerprint has 0% success rate.

      • Re: (Score:2)

        by gweihir ( 88907 )

        Microsoft probably has (again) ignored all existing research and did something home-cooked. Likely even easier to bypass, but you need a different technique.

    • Re: (Score:2)

      by gweihir ( 88907 )

      Indeed, I read about 30 years ago about a Japanese professor doing this. This is not new at all.

  • Amazing Samsung A70 0-percent failure rate (Score:2, Informative)

    by Anonymous Coward

    One other product tested—a Samsung A70—also attained a 0-percent failure rate, but researchers attributed this to the difficulty getting authentication to work even when it received input from real fingerprints that had been enrolled.

  • It's one of those things that sounds very appealing initially, but it is a dreadful idea. My favorite complaint: once your authentication root has been compromised, it can't be revoked.
  • Fingerprint authentication is great for most people.

    • It's snake oil for the hoplelessly clueless.

      I suggest at least reading TFS. ;)

      • Re: (Score:1)

        by mabinogi ( 74033 )

        From TFS:

        Tuesday's report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work.

        Most people's passwords can be broken in a fraction of that time.

        So yes, it is great for most people.
        Not everything has to be 100% effective against 100% of attacks to be useful.

      • Re: (Score:2)

        by jimbo ( 1370 )

        "“The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
        "Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obta

        • Tuesdayâ(TM)s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work.

          On an iOS device, you have no more than 4 days and 5 attempts. The 4 days don't start when you steal my phone, they start when I last used the passcode. So on average you have only two days.

  • Rats! What will bad guys do to generate drama if there's no need to cut off fingers?

  • Clean fingerprints are NOT hard to get. (Score:3, Interesting)

    by BAReFO0t ( 6240524 ) on Wednesday April 08, 2020 @07:44PM (#59923462)

    In Germany, when fingerprints were introduced to the new digital passports, the Chaos Computer Club lifted such a clean one of the very politician that pushed this through, off a glass he left at a cafe.

    (They produced to create a fake passport for him, proving that the whole thing was in vain, except for the totalitarianism.)

    Also, they say "painstakingly", yet it cost them only $2000.
    And now that the basic research is done, duration and cost will have come down a lot. I figure I any layperson could do it for a fraction of the price, if he can read their full report, or somebody else repeats it and publishes his report.

  • We already knew this. From TFA:

    "“The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

    Also some context from TFA:

    "Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also note

  • Is this a real world problem at all? (Score:3)

    by mschuyler ( 197441 ) on Wednesday April 08, 2020 @09:35PM (#59923688) Homepage Journal

    This sort of authentication was never meant to stifle state-sponsored actors or concerted attempts at cracking. As the article says, "The study also noted that the demands of the attack -- which involved obtaining a clean image of a target's fingerprint and then getting physical access to the target's device -- meant that only the most determined and capable adversaries would succeed."

    Look at a typical PIN, for example, which is the go to way to protect your debit card. It's 4 digits: 10,000 possibilities, trivial to hack. Laughable even. But that doesn't mean it is not useful. If the NSA or the Ruskies can hack my debit card, is that the end of the world? Will it get them into Ft. Knox? At this level it's all fun and games, another cool way to solve a Rubik's Cube. Knock yourself out, bro. Have fun.

  • ... you cannot choose or change, but tell everybody around you constantly and it doesn't matter if you get it slightly wrong. The security of it depends on the sensor somehow magically measuring properties of you that cannot be faked.

  • problem (Score:2)

    by sad_ ( 7868 )

    researchers find security authentication issue, but can't quite put a finger on it.

  • Electrician's tape goes over every monitor camera. Who wants to wear a tinfoil hat all the time, taping over their cell phone screen lens?

    Fingerprint is enough to put you behind bars. You think you need better security than the US justice system?

    Whatever limitation fingerprint embodies, surely there's a Phd, polymath or ME who can better its success rate to 100%. /////////// sidebar ///////////
    Apple WWDC circa 1994 in queue waiting for doors to open in SFO, exchanging ideas with the Dev ahead of me. He b

Slashdot Top Deals

To the systems programmer, users and applications serve only to provide a test load.

Close