Does the Fingerprint Scanner on Your Phone Really Keep It Secure?
Jun 13th, 2018
As the news continues to report hacking incidents, both personal and corporate, we are becoming more aware of and concerned about the privacy of our digital devices. We want to be sure that our private information stays private and can’t be easily accessed by hackers.
Thankfully, the major phone manufacturers are coming up with additional security options for the most ubiquitous of these devices – the smartphone. Most smartphones now come with with fingerprint scanning technology.
Of course, that raises the question: does it really work?
How to Unlock a Smartphone
It’s easy to remember a PIN, as we have been using them for decades for various security purposes. But what other ways can we secure our smartphones?
Most industry experts agree that PINs are the most secure method, but they can be inconvenient. It gets tiring to have to unlock your phone with a PIN hundreds of times every day. Luckily, there are other options.
This method is when you trace a pre-chosen line through a grid of dots. It is more convenient, though some consider it less secure.
The design of your phone can make this feature awkward and difficult to use. But, they are incredibly fast and just takes a bit of time to adjust to.
This uses sensors on the front of your phone to identify you and unlock the phone. Iris scanning is very secure, but it does have some bad points: it doesn’t work well in low light, it has trouble scanning through eyeglasses, and you have to hold the phone very close to your face.
This newest method of unlocking your phone uses the front-facing camera to identify you. This is less secure as siblings or others who share similar features with you could unlock your phone with their face.
Fingerprint Scanner Technology
Fingerprint scanners have been considered spy level tech for decades. But in the past few years, fingerprint scanners have become ubiquitous. They have been particularly useful in law enforcement and identity security.
The same light sensor system used in digital cameras (CCD) is used in optical scanning software. It is an array of light-sensitive diodes called photosites that create electrical signals in response to light photons. Every photosite records a pixel, and the pixels form an image of the scanned item (like a finger).
According to Tom Harris from How Stuff Works:
The scanning process starts when you place your finger on a glass plate, and a CCD camera takes a picture. The scanner has its own light source, typically an array of light-emitting diodes, to illuminate the ridges of the finger. The CCD system actually generates an inverted image of the finger, with darker areas representing more reflected light (the ridges of the finger) and lighter areas representing less reflected light (the valleys between the ridges).
The scanner processor ensures a clear image, checks the pixel darkness, and rejects the scan if the image is too light or too dark. When an image is rejected, the scanner adjusts exposure time and tries the scan again.
When the scanner has a fingerprint image with good definition, Harris says, “a line running perpendicular to the ridges will be made up of alternating sections of very dark pixels and very light pixels.”
When a processor has a crisp, properly exposed image, it compares the captured fingerprint with other prints on file.
Capacitive fingerprint scanners use electrical current instead of light to define the fingerprint. The sensor is made of one or more semiconductor chips with an array of tiny cells. Every cell has two conductor plates, covered by an insulated layer. The image is amplified by the varying input and output of voltage. This creates the fingerprint image.
A third, more recent development is the Ultrasonic Scanner. The hardware is both an ultrasonic transmitter and receiver. The ultrasonic pulse is transmitted against the finger to be scanned. Absorption and rebound occur depending on ridges, pores, and other fingerprint details. This provides a 3D version technique to make it an even more secure than capacitive scanners.
One critical concern for the general public regarding fingerprint technology is the ease of hacking. It seems impossible, but it is not.
Russell Brandon, from The Verge, lamented:
In five minutes, a single person faked a fingerprint and broke into my phone. It was simple, a trick the biometrics firm Vkansee has been playing at trade shows for months now. All it took was some dental mold to take a cast, some play-dough to fill it, and then a little trial and error to line up the play-dough on the fingerprint reader. We did it twice with the same print: once on an iPhone 6 and once on a Galaxy S6 Edge. As hacks go, it ranks just a little harder than steaming open a letter.
Of course, this method only works if you have help from the person who can unlock the system. It’s also a very primitive way to get around fingerprint scanning. Some hackers use a 3D-printed mold created from a stored image of a fingerprint. In fact, Brandon said, “At the CCC conference in 2014, a security researcher called Starbug used those techniques to construct a working model of the German defense minister’s fingerprint, based on a high-res photograph of the minister’s hand.”
Despite security and firewalls, fingerprints can still be stolen. Unlike PINs and passcodes, your fingerprint cannot be changed. One credential theft creates a lifetime vulnerability.
However, there are times when having a fingerprint lock could actually help law enforcement.
When the San Bernardino government agents were working to unlock the iPhone linked to the mass shooting, the iPhone did not have a fingerprint reader. Had the suspect been in possession of a more updated phone with fingerprint tech, the investigators could simply have taken the phone to the morgue where the shooter’s body was being held and placed his finger on scanner, thus, unlocking the phone. When the police have a non-cooperating suspect, they can secure a warrant forcing the suspect to unlock his or her phone.
There are over 134 million fingerprint records between Homeland Security and Department of Defense databases. While these records are primarily used for verification, after they are collected, they could easily trigger a fingerprint reader.
There is a real risk that as more and more prints are put in databases that fingerprints may be leaked, much like credit card information, passwords, and social security numbers.
Smartphone fingerprint scanners are not nearly as secure as we believe. There are researchers who have created “master fingerprints” capable of fooling sensors.
Findings from studies at New York University and Michigan State University call the viability of fingerprint security into question. According to James Titcomb of The Telegraph, “The researchers were able to create a set of master prints that could fool a scanner up to 65 percent of the time.”
Full human fingerprints are very difficult to fake, but finger scanners on phones only read partial fingerprints. When setting up fingerprint security on a smartphone, the phone usually records eight to ten images of a finger to make matching easier. Because a single finger swipe only has to match one of the many stored images to unlock the phone, all phones are vulnerable to false matches.
Dr. Nasir Memon reports findings that indicate that, “…if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 to 50 percent of iPhones within the five tries allowed before the phone demands the numeric password, known as a personal identification number.”
Stephanie Schuckers, a professor at Clarkson University and director of the Center for Identification Technology Research, said:
To really know what the impact would be on a cellphone, you’d have to try it on the cellphone.” She pointed out that cellphone manufacturers and other entities that use fingerprint security are looking into anti-spoofing techniques to detect the presence of a real finger versus the false fingertips that can be artificially produced.
Still, the team’s fundamental finding that partial fingerprints are vulnerable to spoofing is significant.
“What’s concerning here is that you could find a random phone, and your barrier to attack is pretty low,” said Dr. Chris Boehnen, manager of the federal government’s Odin program, which studies how to defeat biometric security attacks as part of the Intelligence Advanced Research Projects Activity.
Another way to decrease risk, according to Dr. Boehnen, is to add a larger fingerprint sensor. The good news is that some of the most recent biometric security options less susceptible to hacking. Consumers can also simply turn off fingerprint authentication when using their more sensitive phone apps, like mobile payments.
As we endeavor to improve security for our digital devices, we are finding ways that seem foolproof but are far from it. Fingerprint tech seems like a great option, but it is risky.
The great thing is that we have a choice. When you purchase your next smartphone, go with the security option that you feel is most secure – and then keep track of your phone.