Hacking a phone's fingerprint sensor in 15 mins with $500 worth of inkjet printer and conductive ink


#1

[Read the post]


#2

will we ever learn that biometrics is for confidential data* only useful as one part of a multi-factor authentication?

* say personal photos and banking account access


#3

Probably not until most of us learn to use mutli-factor authentication…


#4

No one show this to the FBI, mkay?


#5

Not too worried. I don’t use the usual (index) finger, and I don’t use the usual orientation. Combine that with its low success rate, and they will have triggered the lockout long before they get the right combination of digit & orientation. Besides, everything really important has its own unique password, and doesn’t rely on the print scanner.


#6

Biometrics are only useful when the person concerned is actually present so as to prove that the real biometric is being used. Using fingerprints for unlocking phones is a perfect example of convenience over security. It’s basically like leaving a picture of your Yale key next to your front door.
Phone makers wanted fingerprint unlock for use with payment systems. That seems to offer an advantage over chip-and-pin cards where a passcode must be entered. Personally I think that multiple keys to assets kept in multiple locations is far safer than any single point of failure method. Especially one that is so easy to fool.


#7

I am guessing this is not normal (is normal for me)? If they try to take a print from my iPad home button they are most likely to get the finger i use to push the home button rather than the one that unlocks it.


#8

You know what’s even more insecure than using your fingerprint to lock your phone? Not using a lock code at all because typing in a PIN every time you want to do something with it is such a PITA. Convenience will always trump security every single time for ordinary people.

Fingerprint sensors on phones are a huge step up in security for most people because they are convenient, and (as called out by Apple when they introduced Touch ID) most people (ie, non-nerds) weren’t using any lock code on their phones before because lock codes are inconvenient. And that will remain true no matter how many screeds Cory Doctorow writes about how biometrics suck.


#9

I work at a place implementing multi-factor auth with biometric prints. We didn’t go with fingerprint for the biometric piece in small part because of being able to transfer fingerprints. Also, since some phones will allow multiple prints (from multiple people) to be stored, we didn’t want someone’s kid’s prints unlocking our stuff. And the auth returned (yes/no) can be a black box - we don’t have always have access to the underlying code used to analyze the print so we can’t tweak tolerances, for instance. None of these are showstoppers for most developers, but it’s not strong enough for the something you are factor for the times you need something stronger and more flexible.


#10

This is my strategy!

Protip: the fingerprint reader just maps a pattern. You could use a knuckle, the tip of your nose, or whatever part of your finger is conveniently within reach of the sensor.

I let my daughter try and unlock my phone with full access to my hand and she still hasn’t gotten in.


#11

Actually, I just tested my hypothesis by registering my nose.

It has a higher failure rate (it takes a few attempts), but it does work, and more importantly, my daughter’s nose does not work.

It looks very silly, too.


#12

So long as Samsung issues customers new fingerprints in the event of a breach, what’s the problem?


#13

Don’t you already have 10 of them to start with? :stuck_out_tongue:


#14

On the iPhone I use a finger joint, not a finger tip. I’ve tested with all my other joints and none can unlock it. I’ve had a few other people try and same deal.

I don’t leave finger joint prints anywhere and it expands the choices from 10 to 36 (10 + 8 joints per hand, thumb seems too inconvenient)

They can probably compel finger joint prints too but they can’t compel me to say which one and they only get 5 tries (iPhone allows fewer attempts via finger than keying in)


#15

With the iPhone being so popular, why didn’t they use it also?

Or doesn’t this method work with the iPhone?


#16

Unlocking by fingerprint isn’t available on the model in the current high profile FBI case, if that’s what you are referring to.


#17

I think they meant to imply that this exploit has only been demoed on a Samsung. Does it still work on iPhones? Anecdotally, the answer is yes, but this can be easily foiled by using the above-mentioned joint print trick.


#18

This is great way to hack a phone. You just need to get the target to give you a fingerprint of their finger and then copy it with the ink. And somehow get their phone.

Seriously…this is teaparty branch dildolian type paranoia for these things to happen in real life. OH…someone will lift my prints from a real glass at the Golden Corral and then take that print and copy it…and eventually steal my iPhone to have the ability to see my browser history.

Because If my phone was stolen my CC company has been informed when it’s out of my physical control.


#19

You may not realize it got out of your physical control for just a while.

Possible threat model: a private eye hired by a suspicious wife or a divorce lawyer.

Or perhaps the suspicious spouse itself.


#20

I’m strictly asking while they tested just Android phones, if it worked against the iPhone you’d think they’d included it in their test (it’s not like in a CompSci Dept they couldn’t find one).