Back in 2016, researchers at Michigan State University demonstrated how, by using a scanner, an inkjet printer and conductive ink, they could produce a replica of an individual's fingerprint and use it to fool fingerprint sensors in smartphones.
Even though fingerprint recognition technology has become more sophisticated and biometric scanners are now much smarter compared to a few years ago, researchers from New York University have demonstrated that today's latest fingerprint scanners can also be fooled with as much ease and with a remarkable success rate.
Dictionary attack on fingerprint sensors works like a charm
Just like hackers launch dictionary attacks to crack user passwords in online platforms by feeding a large number of passwords in a short period of time, the researchers demonstrated that by using an artificial digital fingerprint, they can imitate as many as one in five different fingerprints and thereby bypass fingerprint-based recognition systems.
The researchers have developed a set of digital fingerprints dubbed DeepMasterPrints that are visually similar to natural fingerprint images and boast a greater degree of success compared to MasterPrints that are a set of real or synthetic fingerprints that can fortuitously match with a large number of other fingerprints.
DeepMasterPrints are the products of a new method known as Latent Variable Evolution which aims to ensure that a fingerprint sensor not only identifies a digital DeepMasterPrint as a fingerprint, but also matches that fingerprint image to many different identities.
The Latent Variable Evolution technique exploits the use of small-sized sensors with limited resolution in fingerprint applications and can spoof 23 percent, or one in five, fingerprints. This is because small fingerprint sensors can only image a portion of a fingerprint rather than an entire fingerprint so as to make it more convenient for a user to unlock his/her device by placing his/her finger at any angle. This makes it easier for a malicious actor to present a digital image to a scanner that resembles only a portion of a user's fingerprint.
At the same time, the technique also uses various features of fingerprints that are relatively common and can be found in a large number of unique fingerprints, thereby ensuring a greater degree of success. The limitations of small sensors and the use of common fingerprint features ensures the success of the said technique.
"As new – and seemingly more robust – methods of authentication are implemented, methods of subversion emerge just as quickly. This is particularly concerning as the use of machine learning means that overcoming systems ‘locked’ by biometric authentication can be easily circumvented at scale," says James Romer, EMEA Chief Security Architect at SecureAuth.
"It just underlines that organisations cannot rely on just one method of authentication to protect their valuable data. Although this was achieved in a research setting, we can assume that the bad guys are working hard to put this technology to work.
"An effective defence requires a multi-layered approach that considers multiple factors at once to build an accurate identity of the person attempting to gain access. It is then critical that the system imposes challenges if risky login attempts are suspected. Organisations should view these findings as an opportunity to review their current authentication methods to ensure that they are considering every inevitability and putting measures in place to protect their assets," he adds.
Behaviour-based authentication could be the key
Carl Leonard, Principal Security Analyst at Forcepoint, said that the research by DeepMasterPrints is another example of how biometrics can be bypassed and it won’t be long before cybercriminals start to make use of such technology.
"We believe the next focus will be on the subversion of facial recognition technology, as per our 2019 Predictions. Unfortunately as we build authentication gates into our systems, it is only a matter of time before academics or attackers learn how to circumvent them.
"Rather than solely relying on methods that can be defeated, organisations should take a new approach which looks at the behaviour of the individual instead of their credentials. Behaviour is much more difficult to impersonate and is a critical component to identification and trust. Only then can you detect whether the individual that got passed the authentication gate is a legitimate user or a nefarious attacker," he added.