Smartphone fingerprint readers hacked by ink jet photo

By Larry Magid

canstockphoto17652788Many of today’s smartphones, including most from Apple and Samsung, have fingerprint readers that enable you to register one or more of your fingerprints to unlock your phone.  It’s very convenient – I have this feature on my Google Nexus 6 phone and use it all the time. But, according to researchers at Michigan State University, it’s not necessarily secure.

Kai Cao and Anil K. Jain from MSU’s Department of Computer Science and Engineering wrote a paper detailing how they were able to use an ink jet printer to print one of the co-author’s fingerprints and use that printout to unlock both a Samsung Galaxy S6 and Huawei Honor 7 phone.  And it wasn’t just one set of fingerprints. “We tried several fingers of different subjects and all of them can successfully hack these two phones,” wrote the authors who said that the Huawei Honor 7 “is slightly more difficult to hack (more attempts may be required) than Samsung Galaxy S6.”

They are not the first people to be able to break into a phone using spoofed fingerprints. There are even instruction pages on the web such as one called “How To Fool a Fingerprint Security System As Easy As ABC.” And there have been other studies showing how to use a laser printer to create fake fingerprints that can break into various phones, including iPhones.

Of course, there are also those who are working to thwart such spoofing. Hong Wei, Lulu Chen, and James M Ferryman from the University of Reading have published a paper on counter spoofing techniques where they recommend counter-spoofing algorithms such as “liveness detection,” which can determine if it’s a real finger attached to a live person based on “on natural features such as odor, pulse, blood pressure, temperature and electrical resistance.” But these anti-spoofing techniques often require special hardware that’s not in today’s phones. The paper also talks about ways to prevent spoofing in facial recognition systems, including motion analysis that determines that it’s a real person vs. a picture of a person.

Eventually, I think that biometrics – whether fingerprints, iris detection, face detection, voice detection or some combination of these – will get to the point where they will be extremely difficult to spoof but that’s going to require more research and more sophisticated devices and software and, of course, the bad guys will continue to develop their own techniques to get around any security measures in place.

In the meantime, I’m going to continue to use the fingerprint recognition system on my phone. I know it’s not foolproof, but few things in life are. Think about it. Your home is protected by a lock that’s almost certainly pickable by someone who really knows what they are doing. Our cars are locked but a thief can break in by breaking the glass. Most of us carry wallets and purses around with ID and money, knowing that they can be snatched by determined thieves. I’ve never lost money to a hacker, but I once had my wallet stolen. It happens.

One protection that is available in today’s phones is that the intruder has to have physical access to the phone to break in with a fingerprint. I don’t know of any way it can be done remotely. So, as long as you don’t let your phone get into the wrong hands, you’re pretty safe. Also, a lot of phones require a PIN if the phone has just been re-started so even in the unlikely event someone does figure out a way to spoof your fingerprint, it won’t do them any good if your phone is off by the time they get their hands on it.

So, it’s OK if you use a fingerprint reader to unlock your phone, but it’s a good idea not to let your phone get into the wrong hands.