Fingerprint readers, like the TouchID on an iPhone, exist to make your device extra secure while keeping the process of unlocking it easy. Computer scientists at New York University and Michigan State are poised to turn that security benefit on its head. Like a master key that can open any lock, these researchers developed digital “master prints” that could emulate a variety of partial fingerprints enough to hypothetically hack into a device.
The researchers wondered if there was a fingerprint equivalent to a common four-digit security code, like “1234.” Using analysis from a digital database, they discovered that, indeed, a master print could successfully mimic a random fingerprint 26 to 65 percent of the time, according to the study. Why such a huge range? It depends on the scale of the fingerprint database; the more partial fingerprints enrolled in a fingerprint sensor system, the greater the chances are that a master print could unlock it.
There are several security issues at play. One, fingerprint sensors on smartphones are usually small, and two, a user can enroll multiple fingers. What’s more, a phone usually gives you several attempts to unlock it with your print.
“The sensors are small and they don’t capture the full fingerprint,” says Nasir Memon, a computer scientist at NYU’s Tandon School of Engineering and one of the authors of the study.
And since a smartphone fingerprint sensor can be taught to recognize several different fingers, the system learns a lot of partial prints. When you place a finger on the sensor, the system doesn’t actually know which finger it is, or how you’re positioning it.
“So if any one of them match,” he says, “it will say ‘okay, that’s you.’”
Memon and his colleagues analyzed a digital database of 800 fingerprints, then extracted thousands of partial prints from that same database.They wondered: Are there any partial prints that match the others with a high probability? “We were surprised,” he says, “there were some that match like 15 percent of the time.”
It’s worthwhile to note that the experiment was computer-based, so the researchers did not try to actually trick phones using a master print. The findings are theoretical, and one prominent biometrics researcher is skeptical.