Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: The Quest for the Universal Fingerprint - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Quest for the Universal Fingerprint

Gebhard pointed us to an article at Heise, which reports that researchers are working towards a "universal fingerprint" - a master pattern (or small number of master patterns) that ring enough bells to unlock any of today's fingerprint readers.  They are currently have an approach that takes partial impressions and combines them until it "matches enough" to unlock a phone (or otherwise match a biometric reader) - essentially a dictionary attack against your fingerprint.   They are currently at a 65% success rate, but of course that can only get better. 

Their advice?  Get better readers (that can read depth of fingerprint patterns, add in heartbeat sensors etc), or combine multiple authentication mechanisms if your plan needs to account for attacks of this type.  I'd say nation-state attacks, but this sounds like it's something anyone who's reasonably funded and motivated could take on, especially after the research is formally published.

Add this to the well-known fact that once compromised, you cannot revoke your fingerprints, or change them either.  If a successful and simple fingerprint attack is possible, either we need to look at better fingerprint readers going forward, or this takes fingerprint authentication off the table entirely.

References:

https://www.heise.de/newsticker/meldung/Mit-Master-Fingerabdruck-Zugriff-auf-fremde-Smartphones-bekommen-3702411.html
https://www.heise.de/tr/artikel/Kuenstlicher-Fingerabdruck-entsperrt-fremde-Smartphones-3697183.html

===============
Rob VandenBrink
Compugen

Rob VandenBrink

440 Posts
ISC Handler
"Add this to the well-known fact that once compromised, you cannot revoke your fingerprints, or change them either."

And that is the heart of the issue, any item which can *not* be quickly and easily revoked or changed once it has been found to be compromised, such as biometrics, absolutely can *not* be used for authentication. At best, we can use them for identification, but not authentication.
Robert

2 Posts Posts
Hi, any smartphone finger sensor != "any of today's fingerprint readers"
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!