Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Fingerprints Can Be Recreated From the Sounds Made When Swiping On a Touchscreen (tomshardware.com) 42

An anonymous reader quotes a report from Tom's Hardware: An interesting new attack on biometric security has been outlined by a group of researchers from China and the US. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound [PDF] proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). The attack leverages the sound characteristics of a user's finger swiping on a touchscreen to extract fingerprint pattern features. Following tests, the researchers assert that they can successfully attack "up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%." This is claimed to be the first work that leverages swiping sounds to infer fingerprint information.

Without contact prints or finger detail photos, how can an attacker hope to get any fingerprint data to enhance MasterPrint and DeepMasterPrint dictionary attack results on user fingerprints? One answer is as follows: the PrintListener paper says that "finger-swiping friction sounds can be captured by attackers online with a high possibility." The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name -- PrintListener. [...]

To prove the theory, the scientists practically developed their attack research as PrintListener. In brief, PrintListener uses a series of algorithms for pre-processing the raw audio signals which are then used to generate targeted synthetics for PatternMasterPrint (the MasterPrint generated by fingerprints with a specific pattern). Importantly, PrintListener went through extensive experiments "in real-world scenarios," and, as mentioned in the intro, can facilitate successful partial fingerprint attacks in better than one in four cases, and complete fingerprint attacks in nearly one in ten cases. These results far exceed unaided MasterPrint fingerprint dictionary attacks.

This discussion has been archived. No new comments can be posted.

Fingerprints Can Be Recreated From the Sounds Made When Swiping On a Touchscreen

Comments Filter:
  • If malware can take over the mic of a mobile device and get this data then it may be useful in unlocking a phone if someone steals it later. Otherwise it would probably require someone to be really close to the victim to work.

    • Okay I see they mention the mic in the summary. So that is considered to be part of the attack vector. The success rate still seems a bit low, though.

      • I have a suspicion a regular iphone mic would not be up to the task of doing this reliably.. This likely requires an extremely high-end reference microphone to be up to the task.

        Hell I'd be surprised if the $5K Neumanns found in the high end recording studios where up to the task (Due to frequency response fall-off)

        Still the iphone mic is actually what they used, so... maybe not? Regardless, while reliably pulling this off might be out of reach of hackers using the iphones own hardware, theres nothing stop

    • by darkain ( 749283 )

      From the actual PDF paper, they go into details about various conferencing apps like Skype, Zoom, Teams, etc where the audio would already be available to a remote entity.

      Essentially think of it like screen-sharing and typing in your credentials for someone else to see.

      And yeah, while the attack vector currently has a low probability of success, things like this only get better with time.

      I still remember from many MANY moons ago a research paper on recreating a house key from a low resolution photograph tak

      • by taustin ( 171655 )

        How many people are swiping their fingerprints while they have Skype, Zoom, Teams, etc already open?

        Seems their "1 in four at best" is a bit optimistic to me, in the real world.

        • by Kaenneth ( 82978 )

          Not swiping their fingerprints, just swiping the finger while using UI in general, is the claim.

          • Harvesting the print with general swiping the finger in general UI is the claim, but it only works in restricted conditions: 1. screen is covered in a matte screen protector (the roughness creates the noise), 2. user swipes with the finger pressuring the flat part on the screen (probably depends on the person, but for general UI I use only the tip of the finger, useless for the fingerprint scan). Their idea and realizations are awesome but fortunately it's not generically applicable to everyone.

          • by robi5 ( 1261542 )

            How's one different from the other? Noone uses their knuckles instead of their fingertips, and hardly anyone swipes the screen unless it's to activate some UI element.

    • That's it, I'm changing my fingerprints today.

    • *Daredevil would like to have a word.
  • as I do not like finger marks on them. I mainly use Linux at the command line so a touch screen would not be much use anyway. I can touch type, maybe I could be identified from the way in which I hit keys.

  • I read that they can also recreate a computer monitor from a van outside by listening to teh frequencies. Smart meters "aren't", but CAN, deduce what appliances are on/off from the way they draw power. Latest wifi routers can 'see' around a room like bats do.
    • All this stuff is cool but requires specialized equipment of one form or another to make it work usefully. The point being that the amount of effort and physical access to make it work against *you* is equivalent to the amount of effort and physical access necessary to bug your premises in the traditional sense.

  • by devslash0 ( 4203435 ) on Tuesday February 20, 2024 @07:45PM (#64255960)

    If your password gets compromised, you can change it. However, if your biometrics leak, they will remain in the open forever. You can't quite chop your finger off and get a new one, can you? It gets even worse. Since these days biometrics are taken as the source of ultimate truth, you will have no way whatsoever to prove that the person who used your biometrics was not you but a criminal. All this makes biometrics a very bad choice for any form of authentication.

    • I think of biometrics as having the same flaw as security devices or using mobile phone for two-factor authentication, if it's physical it can be stolen, and I don't very much like some criminal chopping off my finger or gouching out an eye to gain access to my meager savings.

      • by cusco ( 717999 )

        Modern hardware will check for the the existence of blood pressure before even looking at the fingerprint/retinal print/hand geometry, and an iris scan or the blood flow pattern used for the Amazon readers won't function at all. For that to work would require hardware at least 15 years old, which means that there are probably multiple other issues with the system if they're using hardware that old.

    • > You can't quite chop your finger off and get a new one, can you?

      Sure you can. Finger transplants, and even whole hand transplants, are possible... and with very good success rates, too!

      https://buraksercanercin.co/bl... [buraksercanercin.co]

      Keep your fingers safe!

    • by AmiMoJo ( 196126 )

      All forms of authentication are a trade-off. Sometimes the downside is as simple as it being inconvenient for the user, resulting in them working around it. If you implement a strict, cumbersome authentication system, like say a 12 character password, upper and lower case, numbers, punctuation, no dictionary words, changed every month, your users will just write their passwords on post-it notes.

      Fingerprints are convenient and effective against most of the threats that people face regularly - theft, and law

      • by tlhIngan ( 30335 )

        Fingerprints are convenient and effective against most of the threats that people face regularly - theft, and law enforcement.

        Or general access.

        Apple did a study and found back in the iPhone 4 days, around 80% of the people didn't put a passcode on their phones. It was just too inconvenient to type it in hundreds of times a day. So everyone was just using the "swipe to unlock" as it was quick and convenient.

        The whole point of the phone biometrics was to encourage people to put a passcode on their phone - if

    • by clovis ( 4684 )

      I didn't see this attack coming (still don't), but being as paranoid as I am, I've always used a different finger for ID than the one I use for typing, swiping and general touching things.

  • ...to use an alphanumeric password. Not that we needed another reason - the Supreme Court ruling that your phone can be unlocked without a warrant if it uses a biometric password, but not an alphanumeric password; that is more than enough reason for me.
  • they have a best case that is "up to 27.9% of partial fingerprints" and "up to 9.3% of complete fingerprints within five attempts"?

    Not very impressive.

  • by samantha ( 68231 ) * on Wednesday February 21, 2024 @01:19AM (#64256278) Homepage

    Hilarious claim considering regular fingerprint readers can't dependably read my print for more than a few weeks max. I believe this not at all.

  • by Walt Dismal ( 534799 ) on Wednesday February 21, 2024 @01:34AM (#64256308)

    I find this really hard to believe. Friction on the minutia in a fingerprint really do not map well to specific acoustics. So I am calling BS on this research claim. My background includes working on AFIS projects twice in my career. I just don't buy the claims.

    • by Shaiku ( 1045292 )

      I don't accept this at face value either. The premise is absurd -- either this is totally faked or it just turns out that the fingerprint scanner can be fooled by crafted patterns 1 in 4 times.

  • Why go through the effort if prints are left all over the place anyway...? You're going to have to be present to use your fake print, at which point you may just lift the print you need. My recommendation: carefully take off the phone case, below it on the back of the phone you'll find a bunch of nice prints that got there just after the user was cleaning their phone and whilst holding it carefully when putting it back into the case.
  • Back in the 80s a UK bank experimented with signature verification by recording the sound of the pen movements on the paper as that was harder to replicate by a fraudster vs just being able to recreate the signature after a bit of practice.
  • I use a finger on my non-dominant hand, but for a different reason. Now there's another reason.

  • I find it odd when I see people using their finger pad on a screen.

    I've never not used the tip of my finger.

    Then again I keep short nails and was trained as a pianist.

    Which is more normal? Are there sex differences in this vulnerability? Would that also be exacerbated by calluses?

  • by Anonymous Coward
    Daredevil: "I keep hearing everyone's fingerprints! No more swiping!"
    Trailblazer: "Yeah Swiper! No Swiping!"
  • by groobly ( 6155920 ) on Wednesday February 21, 2024 @11:24AM (#64257380)

    I just use my fingertip, basically about 7 parallel ridges. How are they going to infer the whole fingerprint? Right, hallucinating it. Or, lying about it.

  • by jenningsthecat ( 1525947 ) on Wednesday February 21, 2024 @12:07PM (#64257486)

    I've worked in tech all my life, and even though I have a (very) basic understanding of this attack, it still seems like magic.

    The fact that mankind can do this really makes me wonder why we haven't gotten our shit together on more pressing problems, such as global warming.

  • Can it recreate the pattern of flour and dough on my fingers when I'm baking?

Never test for an error condition you don't know how to handle. -- Steinbach

Working...