Researchers in Michigan State University’s Department of Computer Science and Engineering have devised what they call “a simple, fast and effective method to generate 2D fingerprint spoofs that can successfully hack built-in fingerprint authentication in mobile phones.” The method is detailed in their report, Hacking Mobile Phones Using 2D Printed Fingerprints.
Essentially, the researchers loaded a printer with four AgIC silver conductive ink cartridges and one black ink cartridge, scanned a fingerprint image at 300 dpi resolution, mirrored it, and printed that new image on glossy paper. They were then able to successfully spoof Samsung Galaxy S6 and Huawei Honor 7 devices, though the latter required more attempts.
Their aim is to highlight the vulnerability of smartphone fingerprint scanning systems at a time when they are becoming increasingly ubiquitous, citing a prediction in The Guardian that more than half of all smartphones will feature the technology by the year 2019; the researchers also point to the rise of mPayment systems in which fingerprint authentication is used to authorize transactions.
“This experiment further confirms the urgent need for anti-spoofing techniques for fingerprint recognition systems,” they wrote in a concluding paragraph.
Indeed, while 2D fingerprint scanning systems such as Apple’s Touch ID continue to grow more sophisticated, many companies in the smartphone space are looking to other biometric modalities such as iris recognition and eye vein scanning, and are starting to embrace multimodal authentication. These efforts are all likely to help advance the mobile security landscape; meanwhile, many would agree that even the fingerprint scanning systems spoofed in this experiment are better than PINs and passwords.
March 11, 2016 – by Alex Perala