A “Master” Fingerprint that can spoof any fingerprint

A "Master" Fingerprint that can spoof any fingerprint 1

DeepMasterPrints: AI generated fingerprints that can spoof any fingerprint sensor-enabled system or unlock any smartphone has been created by a team of US Researches.

Trend of growing fingerprint enabled devices
Source: Market Outlook CY2017Q2 & Counterpoint Research

With a research from Counterpoint Research stating that over one billion fingerprint sensor-enabled smartphones expected to be sold in 2018. That puts at risk an enormous number of devices at risk with presumably an equal or more being added in 2019.

Researchers break Fingerprint sensor security

In an article published on ArXiv, the researchers demonstrated their method of using an AI generated fingerprint to trick fingerprint authentication systems.

The method named DeepMasterPrints is based on a system named MasterPrints, which uses fortuitous dictionary attacks to match with large numbers of fingerprints, thus undermining the security of such systems.

While traditional MasterPrints attacks have a success rate of 0.1% , the DeepMasterPrints method has demonstrated a success rate of 20%.

While these may not be massive numbers when it come to smartphones as they limit the number of retries typically, however, a public database that relies on biometric authentication (you know we’re talking about you Aadhar!) can be a major risk.

DeepMasterPrinting – what does this really mean?

DeepMasterPrint Results
DeepMasterPrint Results

The premise of MasterPrint lies in the fact that these fingerprint sensors scans only a partial fingerprint image as a user will typically not make a full contact.

Which means, these partial prints, are not as distinctive and can be undermined with a success rate of (as noted earlier) 1 in 1000.

The researches from NYU used two methods, first to train a neural network to generate images of fingerprints, and then look at latent features in the fingerprints (loops, etc.) to generate a fingerprint that matches with as many other fingerprint images as possible.

What is the impact?

It’s unlikely that the exploit will impact the general public that rely on fingerprints to access phone, except in cases of targeted attack on high value target.

However, public databased that relies on biotmetics for identity authenticaion, like India’s Aadhar / UIDAI system, are at massive risk especially given the level of corruption prevalent in third world countries.

ALSO READ  120 Million Facebook Accounts hacked

Leave a Comment