Fingerprints Can Be Recreated From the Sounds Made When Swiping On a Touchscreen (tomshardware.com) 42
An anonymous reader quotes a report from Tom's Hardware: An interesting new attack on biometric security has been outlined by a group of researchers from China and the US. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound [PDF] proposes a side-channel attack on the sophisticated Automatic Fingerprint Identification System (AFIS). The attack leverages the sound characteristics of a user's finger swiping on a touchscreen to extract fingerprint pattern features. Following tests, the researchers assert that they can successfully attack "up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%." This is claimed to be the first work that leverages swiping sounds to infer fingerprint information.
Without contact prints or finger detail photos, how can an attacker hope to get any fingerprint data to enhance MasterPrint and DeepMasterPrint dictionary attack results on user fingerprints? One answer is as follows: the PrintListener paper says that "finger-swiping friction sounds can be captured by attackers online with a high possibility." The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name -- PrintListener. [...]
To prove the theory, the scientists practically developed their attack research as PrintListener. In brief, PrintListener uses a series of algorithms for pre-processing the raw audio signals which are then used to generate targeted synthetics for PatternMasterPrint (the MasterPrint generated by fingerprints with a specific pattern). Importantly, PrintListener went through extensive experiments "in real-world scenarios," and, as mentioned in the intro, can facilitate successful partial fingerprint attacks in better than one in four cases, and complete fingerprint attacks in nearly one in ten cases. These results far exceed unaided MasterPrint fingerprint dictionary attacks.
Without contact prints or finger detail photos, how can an attacker hope to get any fingerprint data to enhance MasterPrint and DeepMasterPrint dictionary attack results on user fingerprints? One answer is as follows: the PrintListener paper says that "finger-swiping friction sounds can be captured by attackers online with a high possibility." The source of the finger-swiping sounds can be popular apps like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where users carelessly perform swiping actions on the screen while the device mic is live. Hence the side-channel attack name -- PrintListener. [...]
To prove the theory, the scientists practically developed their attack research as PrintListener. In brief, PrintListener uses a series of algorithms for pre-processing the raw audio signals which are then used to generate targeted synthetics for PatternMasterPrint (the MasterPrint generated by fingerprints with a specific pattern). Importantly, PrintListener went through extensive experiments "in real-world scenarios," and, as mentioned in the intro, can facilitate successful partial fingerprint attacks in better than one in four cases, and complete fingerprint attacks in nearly one in ten cases. These results far exceed unaided MasterPrint fingerprint dictionary attacks.
Can they hijack the mic to get this info? (Score:2)
If malware can take over the mic of a mobile device and get this data then it may be useful in unlocking a phone if someone steals it later. Otherwise it would probably require someone to be really close to the victim to work.
Re: (Score:2)
Okay I see they mention the mic in the summary. So that is considered to be part of the attack vector. The success rate still seems a bit low, though.
Re: (Score:2)
I have a suspicion a regular iphone mic would not be up to the task of doing this reliably.. This likely requires an extremely high-end reference microphone to be up to the task.
Hell I'd be surprised if the $5K Neumanns found in the high end recording studios where up to the task (Due to frequency response fall-off)
Still the iphone mic is actually what they used, so... maybe not? Regardless, while reliably pulling this off might be out of reach of hackers using the iphones own hardware, theres nothing stop
Re: (Score:2)
From the actual PDF paper, they go into details about various conferencing apps like Skype, Zoom, Teams, etc where the audio would already be available to a remote entity.
Essentially think of it like screen-sharing and typing in your credentials for someone else to see.
And yeah, while the attack vector currently has a low probability of success, things like this only get better with time.
I still remember from many MANY moons ago a research paper on recreating a house key from a low resolution photograph tak
Re: (Score:2)
How many people are swiping their fingerprints while they have Skype, Zoom, Teams, etc already open?
Seems their "1 in four at best" is a bit optimistic to me, in the real world.
Re: (Score:2)
Not swiping their fingerprints, just swiping the finger while using UI in general, is the claim.
Re: (Score:2)
Harvesting the print with general swiping the finger in general UI is the claim, but it only works in restricted conditions: 1. screen is covered in a matte screen protector (the roughness creates the noise), 2. user swipes with the finger pressuring the flat part on the screen (probably depends on the person, but for general UI I use only the tip of the finger, useless for the fingerprint scan). Their idea and realizations are awesome but fortunately it's not generically applicable to everyone.
Re: (Score:2)
How's one different from the other? Noone uses their knuckles instead of their fingertips, and hardly anyone swipes the screen unless it's to activate some UI element.
Re: (Score:2)
That's it, I'm changing my fingerprints today.
Re: (Score:2)
We here at the 3M Sandpaper Division would like to speak with you, sir.
Re: Can they hijack the mic to get this info? (Score:1)
Good thing that I don't like touching a screen (Score:2)
as I do not like finger marks on them. I mainly use Linux at the command line so a touch screen would not be much use anyway. I can touch type, maybe I could be identified from the way in which I hit keys.
Re:Good thing that I don't like touching a screen (Score:5, Informative)
maybe I could be identified from the way in which I hit keys.
Yes [researchgate.net], yes you can [howtogeek.com].
Re: (Score:3)
For that matter mouse movement seems to work as well.
https://news.slashdot.org/stor... [slashdot.org]
They can also... (Score:1)
Re: They can also... (Score:1)
All this stuff is cool but requires specialized equipment of one form or another to make it work usefully. The point being that the amount of effort and physical access to make it work against *you* is equivalent to the amount of effort and physical access necessary to bug your premises in the traditional sense.
Biometrics are faulty by design. (Score:5, Insightful)
If your password gets compromised, you can change it. However, if your biometrics leak, they will remain in the open forever. You can't quite chop your finger off and get a new one, can you? It gets even worse. Since these days biometrics are taken as the source of ultimate truth, you will have no way whatsoever to prove that the person who used your biometrics was not you but a criminal. All this makes biometrics a very bad choice for any form of authentication.
Re: (Score:2)
I think of biometrics as having the same flaw as security devices or using mobile phone for two-factor authentication, if it's physical it can be stolen, and I don't very much like some criminal chopping off my finger or gouching out an eye to gain access to my meager savings.
Re: (Score:2)
Modern hardware will check for the the existence of blood pressure before even looking at the fingerprint/retinal print/hand geometry, and an iris scan or the blood flow pattern used for the Amazon readers won't function at all. For that to work would require hardware at least 15 years old, which means that there are probably multiple other issues with the system if they're using hardware that old.
Re: Biometrics are faulty by design. (Score:1)
Re: (Score:2)
> You can't quite chop your finger off and get a new one, can you?
Sure you can. Finger transplants, and even whole hand transplants, are possible... and with very good success rates, too!
https://buraksercanercin.co/bl... [buraksercanercin.co]
Keep your fingers safe!
Re: (Score:3)
All forms of authentication are a trade-off. Sometimes the downside is as simple as it being inconvenient for the user, resulting in them working around it. If you implement a strict, cumbersome authentication system, like say a 12 character password, upper and lower case, numbers, punctuation, no dictionary words, changed every month, your users will just write their passwords on post-it notes.
Fingerprints are convenient and effective against most of the threats that people face regularly - theft, and law
Re: (Score:2)
Or general access.
Apple did a study and found back in the iPhone 4 days, around 80% of the people didn't put a passcode on their phones. It was just too inconvenient to type it in hundreds of times a day. So everyone was just using the "swipe to unlock" as it was quick and convenient.
The whole point of the phone biometrics was to encourage people to put a passcode on their phone - if
Re: (Score:2)
I didn't see this attack coming (still don't), but being as paranoid as I am, I've always used a different finger for ID than the one I use for typing, swiping and general touching things.
All the more reason... (Score:2)
So, you're saying that (Score:2)
they have a best case that is "up to 27.9% of partial fingerprints" and "up to 9.3% of complete fingerprints within five attempts"?
Not very impressive.
LOL (Score:3)
Hilarious claim considering regular fingerprint readers can't dependably read my print for more than a few weeks max. I believe this not at all.
not believable (Score:3)
I find this really hard to believe. Friction on the minutia in a fingerprint really do not map well to specific acoustics. So I am calling BS on this research claim. My background includes working on AFIS projects twice in my career. I just don't buy the claims.
Re: (Score:2)
I don't accept this at face value either. The premise is absurd -- either this is totally faked or it just turns out that the fingerprint scanner can be fooled by crafted patterns 1 in 4 times.
prints are left all over (Score:2)
Similar things (Score:2)
Another reason (Score:1)
I use a finger on my non-dominant hand, but for a different reason. Now there's another reason.
Just the tip, Ma'am (Score:2)
I find it odd when I see people using their finger pad on a screen.
I've never not used the tip of my finger.
Then again I keep short nails and was trained as a pianist.
Which is more normal? Are there sex differences in this vulnerability? Would that also be exacerbated by calluses?
Meanwhile, Daredevil... (Score:1)
Trailblazer: "Yeah Swiper! No Swiping!"
Really? (Score:3)
I just use my fingertip, basically about 7 parallel ridges. How are they going to infer the whole fingerprint? Right, hallucinating it. Or, lying about it.
Any sufficiently advanced technology (Score:3)
I've worked in tech all my life, and even though I have a (very) basic understanding of this attack, it still seems like magic.
The fact that mankind can do this really makes me wonder why we haven't gotten our shit together on more pressing problems, such as global warming.
But.. (Score:2)