"Universal fingerprint" can crack 65% of the real fingerprint identification
In modern society, the fingerprint recognition function makes the smart phone become miraculous convenience. Just a touch can be unlocked, to achieve payment, no need to enter the password. From the shop a small package of snacks, to a laptop, and even the value of one million US dollars Aston - Martin retro car, can be used to solve the fingerprints. In some of the bank's App application, with fingerprint identification can also pay bills, tens of thousands of dollars on the transfer and so on.
However, the convenience of the back will always leave people to prevent the security vulnerabilities. In a recent study by New York University and Michigan State University, it is pointed out that smartphones are easily fooled by fake fingerprint recognition, due to the many similar features of human fingerprints. In the research experiment, the researchers have been able to develop a set of synthetic super "universal fingerprint" (MasterPrints), you can unlock the current 65% of real smart phone fingerprint recognition.
Although the researchers did not apply the experimental results directly to the real mobile phone, some security experts also believe that in the actual application environment will be far below the 65% match rate, but this study is caused by the fingerprint recognition of this efficient biological Identify the security of the function.
Andy Adler, a professor of systems and computer engineering at the University of Calgary in Canada and a biometric security system expert, points out: "While there may be a little bit of a worry, the security risk is absolutely there. If one of the ten fingerprints is attacked , This probability is still great.
Kayne McGladrey, director of information security at Integral Partners, told the first financial journalist: "Theoretically, if you can get a high-definition fingerprint scan sample, it is enough to make a set of fingerprints that can be identified by the sensor, and this Even in people without any knowledge of the circumstances. "
McGladrey also told reporters that in times of urgency, criminals and police can use this method to quickly unlock the phone, or even do not know who this phone belongs to. "This is the reason why the crack is feasible, because most of the fingerprints are only hired part of the fingerprint, and most users will be set at the same time when the input of 2-4 different unlock fingerprints, which makes the possibility of cracking greatly improved "McGladrey said.
In theory, the human fingerprint is difficult to be cracked, but the smart phone fingerprint scan because it is very small, so can only read a small part of the fingerprint information. When people in the Apple or Andrews system for fingerprint input verification scan, usually only 8-10 pictures are smart phone records for future fingerprint matching.
Usually people in the fingerprint unlock, as long as the fingerprint and the picture stored in a match, you can unlock the phone, which is why the system is vulnerable to attack. "It's like you have 30 passwords, and the attacker only needs to be able to unlock the same one," said Nasir Memon, a professor of computer engineering at Tandon School, New York University's Faculty of Engineering.
Memon also pointed out that people just to create a "universal fingerprint" gloves, they can try to less than 5 times, unlock 40% to 50% of the iPhone. However, Apple said that such a probability of one in fifty thousand. Apple spokesman Ryan James said: "Apple tested a different situation, but also through the introduction of other security features to prevent the risk of false fingerprints." But because Apple and Google's fingerprint technology is mostly confidential, so the risk is difficult Is quantified.
Dr. Chris Boehnen, head of the Odin program at the US Federal Intelligence Frontier Research Program, says mobile phone manufacturers can reduce the risk of mobile phones being attacked by more complex identification technologies. "But that will make the user feel uncomfortable, for example, they need to press two or three fingerprints to unlock the phone." Dr. Boehnen said.
In contrast, hardware upgrades may be more effective in reducing risk. Such as the Samsung S8 smart phone to use a larger fingerprint scanning sensor, so that fingerprint entry becomes more clear, more difficult to be imitated.
McGladrey introduced to the first financial reporter, adding additional biometric features such as heart rate, body temperature, and further improvements to existing unlocking methods. For example, as early as 1964, the cardiologist had found that each person's heart rate was unique and could consider using the PQRST ECG feature to unlock the device. "But now, it also requires users to wear extra wear equipment to achieve." McGladrey said.
With the increasing use of biometrics in a variety of scenarios, criminals are also developing new technologies for counterfeiting. Information security expert talk about the first financial reporter, said: "Although the biological characteristics of each person is unique, unique, but any technology as long as large-scale use, especially non-field use, will be through the information network, as long as through the information network , Any technology must be converted into a computer can identify the 0-1 binary code, which does not have a unique.
McGladrey explained to the first financial reporter: "Most of the attacks against face recognition are by high-resolution images or video to cheat the camera sensor, and even use Facebook photos, video, a variety of angles to synthesize someone's video, Different from 2D face recognition. "
He also mentioned the recent Windows Hello technology to enhance security by increasing the infrared face scan function. "This feature will create a 3D image for the user, and 3D infrared images are still very difficult to be imitated." McGladrey said, "but with the fingerprint lock is similar to the user may be forced to face recognition device. Identifying technology companies also need to consider adding functionality that remotely decides lost or stolen data. "