back to article Boffins bust biometrics with inkjet printer

Boffins from Michigan State University have loaded up an inkjet printer with cartridges designed for printing electronic circuits, and used the output to fool smartphone fingerprint sensors. All that's needed is a scan of the victim's fingerprint (reversed so it presents the right way when printed), and a suitable inkjet …

  1. a_yank_lurker

    Not Surprised

    The Mythbusters did a piece on fooling fingerprint readers a few years ago. They confirmed it is not very difficult to fool a fingerprint reader.

    1. John Robson Silver badge

      Re: Not Surprised

      more importantly - it looks like the technology on those readers hasn't improved much...

      What can you do to defend against a printed fingerprint? Look at vein structure and heat as well?

      1. Tessier-Ashpool

        Re: Not Surprised

        Ultrasonic sensor to detect and characterise the finger's blood flow?

        1. Anonymous Coward
          Devil

          Re: Not Surprised

          The more tricky you get with stuff like veins and blood flow the greater the number of false negatives which will make for a frustrating user experience. Easier to just implant a chip in your finger and be done with it.

          Devil icon (or closest thing to it) since I just suggested a special mark you must have before you're allowed to buy or sell!

          1. Mage Silver badge

            Re: Not Surprised

            Chip in finger is no solution. It's very vulnerable to being copied or remote reading.

            veins, pulse and blood flow can be copied.

            1. Anonymous Coward
              Anonymous Coward

              Re: Not Surprised

              Chip in finger is no solution

              Oh boy. I'll have to start from scratch here.

              Some finger print scanners use radio technology to scan for ridges - they read finger prints. They are fed a HF signal which is absorbed by your finger (if attached to your body) and the rate of absorption is modulated by print ridges passing over that specific transmission point. Put a bunch of these in a row and you have a scanner that only gives you a read if the body passing over the transmission is sufficiently large to absorb the signal. This stops the use of fingers with one previous owner.

              Sticking a chip in a finger has (as far as I know) not yet happened because there isn't that much vacant space in a finger, as opposed to, say, cranial space in politicians or (apparently) rectal space in returning prisoners after removal of phones and chargers.

              1. Adam 1

                Re: Not Surprised

                Biometrics are by definition observable and something you are so can't fulfill the concept of something you know like a password. In some ways that makes them worse choices because you can't just change them if they get stolen and they can get lost if you have to bandage up your digit due to an injury. Some materials actively erode the ridges (things like pineapple or beer believe it or not) so people working in certain industries can have trouble getting something unique anyway.

                But if you consider them like a 2FA rather than an authentication in their own right, it is better than what it replaces. PINs can be viewed by people standing behind you. Whilst lifting a fingerprint off a surface is reasonably trivial, you also need the device. A fingerprint door latch for example could be argued as insecure, but is it less secure than the pin and tumbler it replaced?

                1. Charles 9

                  Re: Not Surprised

                  But how do you deal with true idiots who have nothing to know? About the ONLY thing they have is something they are, so it's basically that or bust.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not Surprised

        What can you do to defend against a printed fingerprint? Look at vein structure and heat as well?

        There's radio based tech which uses body mass as drain. That won't register unless there is a sufficiently large watery mass attached to the finger to drain energy and as it is proximity based you get a 3D depth read of finger details. That's why you should not press hard on a fingerprint reader, you cause plastic distortion of the details and end up with a false read.

      3. Anonymous Coward
        Anonymous Coward

        Re: Not Surprised

        What can you do to defend against a printed fingerprint? Look at vein structure and heat as well?

        If I recall correctly it's Fujitsu who indeed has a chip that reads vein patterns, but that's not a fingerprint reader but a palm scanner. I haven't read up on that chip (too many other things to do) but I think it takes too much power for mobile use, and it's a bit tricky to use as it reads a palm from a fixed distance (5 to 10 cm if I'm not mistaken). I do recall that the amount of data it read was so large that there was a separate company writing software for matching such scans because the time between reading and matching a scan (for instance, to open a door) was too long.

        It's been a while, though, things may have moved on. It's quite interesting tech but I agree with some other people here that badly implemented use of any biometrics is worth avoiding.

    2. Christian Berger

      No, much earlier than that

      September 22, 1986 MacGyver demonstrated unlocking a hand print scanner by using a latent handprint. He sprinkled some ground up wall paint onto it and used his jacket to press down the plate... Even in the late 1990s some fingerprint scanners were vulnerable to the same attack... though you had to breathe onto them to get some moisture for it to work.

      Biometrics is one of those things that can be logically deduced to be unsuitable for authentication. Your biometric key is not changeable (unlike a password), it cannot be read 100% accurately so you cannot deviate keys from it (imagine a password prompt with auto correct!), and it's impossible to keep secret.

      1. Ugotta B. Kiddingme

        Re: @ Christian Berger

        "September 22, 1986 MacGyver demonstrated..."

        but to be fair, McGyver could make a nuclear missile out of three transistor radios, one automobile muffler, two pocket knives and a carrot.*

        * of course, only if it was a reasonably FRESH carrot.

  2. Anonymous Coward
    Anonymous Coward

    It very much depends on the reader

    The problem with the camera based readers is that they pretty much work on a picture match. Reproduce the picture and away you go.

    I've worked with all sorts of biometric readers (as a matter of fact, I may still have the original gummy fingers hardcopy somewhere, kindly sent to me by Tsutomu Matsumoto) and there is a MASSIVE variation in the quality of these with a very simple deciding factor: price. There is one particular reader made in the US which is actually quite good, it's a "ridge" that you move your fingers over (this style has been used in some laptops for a while, it looks like a gold coloured line). It contains an array of "pins" which each act as small antennae and represent a pixel in the read. A fingerprint ridge passing a pin drains some of it energy, so a full line acts like your average scanner. It has multiple parallel lines so you can detect direction and validate a read.

    Not only does the line design ensure you don't leave a handy latent print to use by a 3rd party (one of the major issues with shiny smartphones in general), but as the pins act as radio beacons it only gets a good read if there is actually a whole body attached to the finger in question. It could probably still be a dead body but I didn't test that as tourist season had already ended :).

    We've thrown practically anything at that reader (including said gummi fingers, that's why I had the paper) and it rejected it all.

    Resolution matters too. Reproducing a fingerprint in gummi is a relatively low resolution affair, but it matches enough data to give you a fighting chance. As soon as you elevate resolution it becomes harder to fool the reader, but you also increase the need for error correction as fingers are not always that clean. There's also the issue of sensitivity in general - some people have practically no ridges and it then becomes a signal to noise battle to pick up anything at all.

    In summary, it can be done better but if you're looking at mobile phones, every dollar extra amounts to quite a total investment on the total volume. In the battle of risk versus cost, it appears the reader lost.

    1. allthecoolshortnamesweretaken

      Re: It very much depends on the reader

      A smartphone with a fingerprint sensor is a gadget with another gadget, and once again, you get what you pay for.

      That being said, I'm not a big fan of biometrics. The data has to be stored, and once it gests compromised, you'd have to change your password biometrics to be secure. But no biggie, eyeballs grow back, don't they?

      1. Anonymous Coward
        Anonymous Coward

        Re: It very much depends on the reader

        That being said, I'm not a big fan of biometrics. The data has to be stored, and once it gets compromised, you'd have to change your password biometrics to be secure. But no biggie, eyeballs grow back, don't they?

        Not quite. Whoever stores your data so it can be replayed elsewhere is better off taking up gardening instead of IT. The best use of biometrics to YOUR benefit should:

        a - store the biometrics locally, so they're only used for access control to whatever secret is held (which could be anything from a secure password to a digital certificate for a VPN or access control). This also means no need for central Big Brother databases that risks everyone when compromised;

        b - store the biometric as a salted hash, so it's one way only and not usable when injected into another, similar device.

        (edit: this is actually how iPhones implement biometrics as well, but their reader really needs to be improved).

        Depending on application you can influence the hash by adding a PIN of sorts and so move to 3 factor (something you have/are/know).

        The main challenge is armour for the local storage. Not only does that need to be cryptographically secure, but it also needs measures against side channel attacks and against determined people physically shaving down chips until they get to the electronics (this is how satellite cards get analysed).

        However, whatever security measures you use, never forget that someone may choose to use a more direct route.

        1. Charles 9

          Re: It very much depends on the reader

          "However, whatever security measures you use, never forget that someone may choose to use a more direct route."

          But what if their victim is a masochist (so get off on torture) or a wimp (so faints before you get started)?

    2. Alan Brown Silver badge

      Re: It very much depends on the reader

      "some people have practically no ridges and it then becomes a signal to noise battle to pick up anything at all."

      Which is a very real problem when such biometrics are used for visas.

      My wife "suffers" from this problem. It means she frequently gets to stay in airports for anything up to 5 hours past arrival, simply because they can't read her prints.

      1. Sir Runcible Spoon
        WTF?

        Re: It very much depends on the reader

        " It means she frequently gets to stay in airports for anything up to 5 hours past arrival, simply because they can't read her prints."

        They take your fingerprints at the airport now!?

        1. Anonymous Coward
          Anonymous Coward

          Re: It very much depends on the reader

          They take your fingerprints at the airport now!?

          They do in the US..

          1. Ugotta B. Kiddingme

            Re: It very much depends on the reader

            "They take your fingerprints at the airport now!?

            They do in the US.."

            citation required. Not in any of the US airports I've used in the last several years.

            1. Fred Flintstone Gold badge

              Re: It very much depends on the reader

              citation required. Not in any of the US airports I've used in the last several years.

              Maybe if you fly inland, but if you're a foreigner they want their scan (or they just had something against me personally, but the whole row of terminals was scanner equipped :) ). They also photograph you while you're giving your prints. Although they tried not to be too obvious about it they simply don't do subtle very well :).

        2. Tikimon

          Re: It very much depends on the reader

          I had my index fingers scanned last summer at airports in Malaysia, and maybe China (I was pretty tired by then and it was all starting to blur). Yep, it's out there.

          1. Z80

            Re: It very much depends on the reader

            Japan have been scanning fingerprints of arriving foreigners since 2007.

  3. Pascal Monett Silver badge

    Of course there is an urgent need to secure things properly

    The need would have been less urgent if the whole thing had been properly researched beforehand, instead of being rushed through with marketing people having more say than the engineers.

    If the research had been correctly conducted, it would have concluded that using fingerprints was not a 100% secure solution, and the whole thing would never have made it to the market.

    Instead, we got teams who had to rush to put the thing on the market because nobody stopped to think if it actually answered the issue properly, so now somebody has to find a way to make a 3-legged horse gallop.

    The whole things is just a waste of time and resources, but hey, terrism.

    1. jzl

      Re: Of course there is an urgent need to secure things properly

      Nothing is 100% secure. The alternative to fingerprints is passwords and they're even worse.

  4. Come to the Dark Side

    If we can print perfect replications of fingerprints, by how much does it drop the reliability of them being used as court-admissable evidence?

    1. phuzz Silver badge

      We can't print perfect replicas of fingerprints, we can only print replicas which are good enough to fool a fingerprint reader.

      Creating something which could (for example) leave false fingerprints on a knife would be much more tricky, and it's probably impossible right now.

      This article is more about how easy it is to spoof a fingerprint reader on a phone than about how good reproductions have become.

      1. Tom 13

        Re: leave false fingerprints on a knife would be much more tricky

        Not really. You do need to go the latex/gummy route, using something impregnated with the right amount of oil. Also, I believe finger print scanners actually do a better comparison than most CSI comparisons which look for five points.

  5. Mage Silver badge

    Biometrics

    Biometrics is stupid for a security as you can't change a fingerprint or retina.

    It needs to be removed from passports.

    Fingerprint readers and retinal scanners etc should be illegal. They serve no purpose other than exposing privacy. Trivial to copy a fingerprint from a door or glass. You can even add a pulse.

    The sad fact is there is no secure alternative to old fashioned passwords.

    I have a couple of good ones that are learnt. I let a password manager remember all the ones that are non-financial and not local machine access. I have an address book in a safe place (never in laptop bag / with phone) that has email, user, website password.

    Different password and often different user and email for every website. None are real words or words with numbers or number substitutes.

    Biometrics is a lazy failure of a solution to security.

    1. Tessier-Ashpool

      Re: Biometrics

      One day it may be possible to do a neural scan (which is itself a biometric) and retrieve your password directly from your memories. What fun IT security are going to have in the 22nd century.

      1. Neil Barnes Silver badge

        Re: Biometrics

        Bad news, I'm afraid: the transporter beam seems to have swapped your thoughts left-right and so I can't authenticate you.

    2. Charles 9

      Re: Biometrics

      "The sad fact is there is no secure alternative to old fashioned passwords."

      Problem is that passwords are not an option for many people: particularly those with bad memories. So by declaring there's no alternative to something that's not an option, you're basically declaring there's no way possible for them to maintain security.

  6. Paul Kinsler

    I have thought of a cunning plan...

    I'll print myself a fake fingerprint, and carry it around to unlock my phone. Then anyone who copies and then tries to use my actual fingerprints will be wasting their time! :-)

    1. Sir Runcible Spoon

      Re: I have thought of a cunning plan...

      That sounds awfully like a dongle :)

    2. Captain DaFt

      Re: I have thought of a cunning plan...

      "I'll print myself a fake fingerprint, and carry it around to unlock my phone. Then anyone who copies and then tries to use my actual fingerprints will be wasting their time! :-)"

      Even more cunning; Use your nose instead of a finger.

      Easy to pretend to use a finger, then surreptitiously touch against the tip of your nose as you answer a call.

  7. Graham Marsden
    Boffin

    'there's an “urgent need...

    '...for antispoofing techniques for fingerprint recognition systems”'

    No, there's an urgent need to comprehend the fact that biometric IDs are *NOT* secure and are *NOT* substitutes for passwords or 2FA systems!

    1. Charles 9

      Re: 'there's an “urgent need...

      Then there is an EVEN MORE urgent need to compregend the fact that some people have TERRIBLE memories such they can't remember a password to save their life ("Was it correcthorsebatterystaple or was it rositachiquitajuanitachihuahua or was it junior?") AND don't routinely carry anything with them that can work as a second factor. How do you solve the security problem for people where the ONLY thng they can authenticate with is something they ARE (they don't know enough to have anything useful to KNOW and lack anything they HAVE).

  8. Scaffa

    Fun fact from the pub: You can register skin from most appendages as a "fingerprint" on iOS.

    Makes it a little awkward unlocking your phone when it's cold or on the train, but we've got to take security seriously people.

  9. Ian Ringrose

    Fingerprint readers are only as good as the person that is monitoring there usage. So for example they can be secure for checking ID at immigration, as there is a person that checks a real finger is being used.

  10. gfrevivus

    Fingerprints

    Fingerprints have been copied since the 1930s. For an explanation of how a good start is the R Austin Freeman fiction book "The Red Thumbmark". In addition I remember that years ago there were allegations that police were using fingerprint lifts to transfer fingerprints from one surface to another to incriminate individuals. A fingerprint is a stamp impressed by your finger and like any other stamp it can be copied.

  11. Charles 9

    So that still begs the question. How can you authenticate someone when the ONLY thing you can work with is a fingerprint, due to people having bad memories and not wanting to take anything else with them?

  12. gfrevivus

    Thank you for your courteous comment. I'm sorry I haven't replied sooner. I thought about this for a while as I wanted something that would look natural on a phone.

    My suggestions would be either dual biometrics using the ear print (in the natural process of putting the ear to the phone) and the fingerprint together or within a very short time period of each other or random selection by the phone of one of the eight fingerprints (not the thumbprints) . In the first are mobile phone sensors up to the job? In the second the phone could display a graphic of the hand with the appropriate finger coloured to show which print to use.

    These are only my suggestions but I am sure people with greater knowledge could come up with much better ideas.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like