Biometric fingerprint scanners hacked with AI

Researchers at New York University are using AI to dupe fingerprint scanners.
26 November 2018

Smartphones can be easily hacked. Source: Shutterstock

Based on unique and ‘unchangeable’ physical traits, biometric security measures— such as fingerprinting, iris scanning and voice recognition— are often regarded as some of the most secure methods of verifying the identification of an individual.

Now, though, it seems even these methods of security are vulnerable to being compromized digitally. Researchers from New York University (NYU) have developed an artificial intelligence (AI) tool that can synthesize human fingerprints in order to dupe biometric security systems.

Fingerprinting technology is used in billions of smartphones and other devices around the world, so the findings are of real concern, particularly as the fake fingerprint— dubbed “DeepMasterPrint”— was able to trick touch-based authentication systems one in five times.

Researchers compared it to “a master key that can unlock every door in the building” adding that it could “theoretically unlock a large number of devices”.

While use of AI is new, the concept of a universal print is a result of earlier NYU research that set out to exploit the fact that the majority of fingerprinting devices are designed to read just a partial fragment of a fingerprint, given how unlikely it is that a user will place their finger down the same way each time.

Instead— and much like how you would with an iPhone’s fingerprint system— users would typically be required to enroll multiple images, meaning that a match for any partial print is enough to confirm identity.

However, these partial prints are much less likely to be unique, so the researchers were able to ‘stitch’ together multiple fragments in order to create a ‘MasterPrint’ capable of ‘tricking’ fingerprint verification systems.

In the most recent study, the research team trained a machine-learning algorithm to generate synthetic fingerprints as MasterPrints which, says NYU, could be used to launch a “brute force” attack on fingerprint-accessible systems where fingerprint images are cached.

“Fingerprint-based authentication is still a strong way to protect a device or a system, but at this point, most systems don’t verify whether a fingerprint or other biometric is coming from a real person or a replica,” said doctoral student Bontrager and lead author of the research paper.

It’s certainly not the first time the security of fingerprint scanners has been brought into question, though. In 2013, for example, the hacker collective Chaos Computer Club revealed how to hack the Iphone’s fingerprint scanner with traditional fingerprint cloning techniques.

But when it comes to the method pioneered at NYU, the danger lies in its potential scale. It’s been compared to a ‘dictionary attack’ against character-based passwords, where a hacker can run a pre-generated list of common passwords against a security system.

The upshot is that while it’s unlikely it would be targeted at a specific individual, if ‘DeepMasterPrint’ technology was to be used maliciously, it could potentially be utilized on a large scale.