Seemingly secure fingerprint recognition is more vulnerable to threats and tricks than many think. Photo: Handout
Seemingly secure fingerprint recognition is more vulnerable to threats and tricks than many think. Photo: Handout

Fingerprint recognition is now found on numerous smartphones, and such biometric authentication is even more vital in China now that mobile payments and smartphone-based e-wallets are pervasive in the nation.

It’s a breeze just to touch your phone with your finger to tell the device it’s you and the bill is settled, instantly.

But if you think fingerprint recognition is infallible and foolproof, think again.

Apple’s TouchID. Photo: Apple

A People’s Liberation Army cybersecurity expert and military commentator recently renewed the alarm, on a China Central Television (CCTV) program, that this security shield can be hacked through when malevolent people fake your fingerprint with tools as simple as a transparent film and a circuit scribe.

A film with ink from the circuit marker can be attached to cover half of a phone’s fingerprint reader, and more often than not the owner can still use his finger to unlock his phone even when just half of the print is read by the sensor.

Fingerprint sensing and matching algorithms adopted by Apple’s iOS and Android mobile systems feature machine learning to expedite the process to enable a user to unlock his phone the moment he places his finger on the reader, by using capacitive touch to take in an image of a print and updating the print image already stored in the phone. But in the same way, a deceptive ink pattern on transparent film may also be counted as an update to the stored image.

In some cases, as demonstrated in the CCTV program, such seemingly low-tech knock-off fingerprints made of film and circuit-scribe ink fooled and unlocked several phones made by Apple, Samsung, Huawei and Xiaomi when used alone without the actual fingerprint of the owner.

Phones from leading brands like Apple, Samsung, Huawei and Xiaomi were all fooled by fake fingerprints. Photo: China Central Television

So the warning is that fingerprints can be stolen – and unlike a passcode, you can’t change your fingerprint, as you give it away each time you touch a flat surface. Thus a single credential theft could lead to a lifetime of vulnerability, as anyone else may be able to fool the fingerprint reader on your phone, door lock or other devices.

The San Francisco-based mobile security startup Lookout noted when Apple launched its novel Touch ID feature back in September 2013 that the big question was whether Apple could implement a design that would resist infiltrators using “lifted” fingerprints collected from any surface a phone user may touch, with the help of glue and fingerprint tape.

Still, as Lookout expert Marc Rogers admitted in his blog, the process of collecting a complete, un-smudged print of the correct finger “belongs to the realm of CSI,” or police crime-scene investigators.

Screen Shot 2018-01-17 at 3.57.25 PM
A high-res picture of a thumb of German Defense Minister Ursula von der Leyen could be used to hack her phone. Photo: YouTube
YouTube video

Also, a working fingerprint model was constructed based on a high-resolution photograph of a thumb of German Defense Minister Ursula von der Leyen’s hand during a demonstration at a tech seminar held in her country.

Many tech enthusiasts have shown how to take an imprint of one’s finger using a dental mold to make a clay replica to fool an iPhone. It takes a few tries, but the replica may eventually work.

One reply on “Fingerprint security falls foul of simple tricks”

Comments are closed.