Fingerprint Sensors are Not the Guarantee to Privacy

Written by

Most mobile phones are widely introducing fingerprint sensors as a modern security feature and users are assuming they are safe. Yet there are some serious flaws which can allow hackers to access your smartphones via fingerprint sensor. 

The fingerprint technology is utilized for biometric security, and from there, top smartphone vendors such as Apple and Samsung adopt it. However, a recent paper from researchers at New York University and Michigan State University revealed how deep learning technologies could aid in crippling the biometric technology. 

Also, the ease of a fingerprint sensor is not stable in many circumstances. Old capacitive scanners, which are mostly used for fingerprint sensors, will not work if your fingers are wet or sometimes when they are just sweaty. Also, scars, scratches and other skin flaws at your fingertips could decrease the efficiency of fingerprint recognition.   

Inconvenience might bother you, but privacy lack could entail security destruction. Researchers also found that by using artificial intelligence technologies, the software that runs fingerprint scanners could be easily fooled.

Lock-screen bypass bug
On many occasions, we have witnessed lock-screen bypass bugs which affect the user’s privacy, but these only work if the attacker has physical access to their smartphones. A similar flaw was discovered in Apple’s latest iOS 12.1 updates within just a few hours after its release.

The security researchers who found the flaw also disclosed that the lock-screen bypass bug could provide access to all the contact information through the activation of a FaceTime call and access to the new group FaceTime feature to monitor contact information without a passcode.   

The in-display fingerprinting feature is broadly considered an increasing trend in some flagship model phones, according to Tencent’s Xuanwu Lab. The researchers at Xuanwu Lab were able to bypass handset locks easily by placing a piece of opaque reflective material – probably aluminium foil – on the in-display fingerprint sensors. 

"This is a not big problem for previous capacitance sensors, but for optical sensors, it's lethal,” Xuanwu Lab founder and researcher, Yang Yu said.

Capacitance Sensors vs. Optical
According to some experts, optical fingerprint imaging – within in-display fingerprint readers – will soon be taken over by capacitance-sensor fingerprint scanners. 

The method of reading a fingerprint is the main difference between both the technologies. Optical fingerprint scanners use an image sensor to grab the imprint of a user’s fingertip surface. However, the conventional authentication - based on the capacitance sensor - uses a pixel array of capacitors to develop the image of a fingerprint. This sensor only functions when there is an OLED display (a backlit display is necessary), and it scans fingerprints through peering with the gaps between pixels.   

When in-display fingerprint technology is in place, as soon as the finger strikes the screen, the screen flashes light and highlight fingerprint traces on the screen. With this process, a simultaneous action takes place and the sensor under the screen takes the image of the fingerprint. 

This complicated process may induce a fake sense of security in your mind, but there is always a fingerprint residual on the smartphone screen which could easily be exploited by an attacker.

For instance, the Tecent’s researcher, Yang Yu, discovered that if a reflective material is placed underneath the screen, it will amplify the residual fingerprint and fakes a sensor to think it as real. It is a prominent issue with the optical sensor because even though the fingerprint residual is merely prominent, the sensor will be aware of this in normal situations. 

Therefore, if your phone is within the physical access of a hacker, with a high chance of your fingerprint residual on the screen, the attacker could unlock your smartphone in minutes.    

How can fingerprint authentication be implemented and managed?
The stolen passwords and revealed unlock patterns are not as lethal as the exploited fingerprints could be. You can promptly change the passwords and patterns, but you cannot change your fingerprint patterns. 

However, users could only avoid using the fingerprint sensor technology, but the vendors need adequate implementation and management. 

This is a design flaw, but researchers claim that the vendors could eradicate the fault simply by updating the identification authentication. A similar strategy was utilized by Huawei which released software updates in September so that the flaw could be managed. 

The vulnerability is minimized by adding a larger fingerprint sensor said Chris Boehnen, the manager of the federal government’s Odin program. The Odin program was studying the methods to defeat biometric security attacks. Dr. Boehnen quoted the example of iris scanner - added in the latest model of a smartphone – while recommending the newer biometric security options. However, he discouraged the use of facial recognition as it is more prone to attacks and less secure than fingerprints. 

For instance, it is really easy for an attacker to use a high-resolution picture of you and unlock the phone. In many regular smartphones, a normal picture extracted from your mobile or any other source could work too. 

According to Dr. Boehnen, the smartphone vendors could boost security by making it complicated to detect and match the partial fingerprint. He told the New York Times: “The average phone company is more worried about you being annoyed that you have to put your finger against the phone two or three times than they are with someone breaking into it.” 

Besides the protection and authentication from smartphone companies, users themselves need to take some security measures. You should avoid using fingerprint authentication for sensitive apps such as mobile payments (PayPal and other financial services).

Also, it is a good move to use any finger other than the thumb or index finger which are the first guess while making the fake case to break your protection.   

When it comes to government, there are no such privacy laws which encompass smartphone user security. However in the previous year, Washington state lawmakers passed legislation which focuses on the security of the fingerprint scanning. After that many states have passed laws which forbid companies to use biometric information.

What’s hot on Infosecurity Magazine?