Biometric features like fingerprint sensors and iris scanners have made it easier to securely unlock phones, but they may never be as secure as a good old-fashioned password. Researchers have repeatedly worked out methods to impersonate registered users of biometric devices, but now a team from New York University and the University of Michigan has gone further. The team managed to create so-called “DeepMasterPrints” that can fool a sensor without a sample of the real user’s fingerprints.
Past attempts to bypass biometric systems usually involve getting access to a registered individual’s data — that could be a copy of their fingerprint or a 3D scan of their face. DeepMasterPrints involves generating an entirely new fingerprint from a mountain of data that’s close enough to fool the sensor. Like so many research projects these days, the team used neural networks to do the heavy lifting.
The process started with feeding fingerprints from 6,000 people into a neural network in order to train it on what a human fingerprint looks like. A neural network is composed of a series of nodes that process data. It feeds forward into additional “layers” of nodes if the output meets a certain threshold. Thus, you can train the network to get the desired output. In this case, the researchers used a “generative adversarial network” to tune the system’s ability to generate believable fingerprints. The network used its understanding of prints to make one from scratch, and then a second network would determine if they were real or fake. If the fingerprints didn’t pass muster, the network could be re-tuned to try again.
The original input data came in the form of both full “rolled” fingerprints that were inked on paper and images of fingerprints captured by capacitive sensors like the ones on phones. DeepMasterPrints was significantly better at faking the capacitive prints because those sensors don’t need to see your entire fingerprint. It’s not practical to roll your finger across a sensor every time you unlock your phone.
Examples of real (left) and fake (right) fingerprints.
To test the master fingerprints, researchers used a capacitive sensor at three different security levels. At the highest level of security, the sensor would incorrectly match a print 0.01 percent of the time. At the middle level, the false match rate was 0.1 percent, and the lowest tier used a false match rate of 1 percent. At the lowest security level, the fake fingerprints fooled the sensor 76 percent of the time. It’s unlikely a real consumer device would be so permissive, though. The middle tier is more realistic, and the team was able to spoof the sensor 22 percent of the time. At the highest level, the fake prints only worked 1.2 percent of the time.
So, your fingerprint sensor might be less secure than you think. The researchers believe that engineers will have to implement new algorithms and hardware features to combat similar master fingerprint attacks.
Now read: Hackers Can Unlock Samsung’s Galaxy S8 Using Fake Irises, Qualcomm’s new fingerprint sensor uses ultrasonic waves, could be built into screens, and JetBlue, Delta Biometric Scanners May Replace Boarding Passes