Fingerprint-recognition systems are one of the mostly widely used biometrics, found on devices such as cell phones and laptops. Like any non-biometric systems, though, fingerprint sensors come with vulnerabilities. That leaves many opportunities for fooling the fingerprint sensor into false recognition.
Biometrics, in general, and fingerprints are an increasingly popular approach to providing a measure of security to equipment. Unlike passwords, a biometric authentication does not need the user to have a perfect memory or a written record somewhere, nor can it be lost or mislaid. But the many ways in which such sensors can be fooled mean that they can provide only casual security at best. Understanding how the sensors operate reveals the story of how they can be fooled.
Four types of fingerprint-sensor technology are used for consumer and commercial electronics: optical, capacitance, thermal, and ultrasonic. Both component and module-based devices are available in a variety of sizes and resolutions. Some modules are designed to be built-in, some USB-attached, while others are Bluetooth or wireless. The methods used to capture fingerprint images include touch, swipe, and roll, depending on the device. Systems then compare the captured image to a previously “enrolled” image to determine if they match.
An optical scanner, such as the Synaptics FS9100, makes a high-resolution image of the finger's ridges and valleys and, in some cases, the vein patterns beneath the skin. Both visible light and IR sensors can be involved.
A capacitance fingerprint scanner, like the Credence ID One, generates the equivalent of an image by measuring the voltage changes that a finger causes when placed over an array of electrical sensors. Ridges have a higher capacitance than valleys, thus generating a larger signal, because the skin there is closer to the sensor surface than in the valley. Some sensors apply a small voltage to the finger to get a better image.
Thermal sensors, like the devices from Next Biometrics, use an array of thermoelectric generators. When the finger touches the sensor surface, the ridges transfer more head than the valleys, resulting in a larger signal. As with the capacitance and optical sensors, the array of sensors generates the equivalent of an image of the finger's surface.
Ultrasonic fingerprint sensors are the latest in imaging technology. InvenSense and GLOBAL FOUNDRIES are collaborating on the development of this technology, and Qualcomm announced an ultrasound sensor as early as 2015. Using the intensity of reflected ultrasound, the sensor can generate a 3D map of the finger surface. Unlike thermal, capacitance, and optical sensors, which only capture 2D images, the ultrasonic fingerprint sensor works through metal, glass, and other solid surfaces. This helps the sensor more readily recognize an enrolled finger even when it is dirty or wet.
These sensors are all subject to exploitation, however. For an optical sensor, something as simple as a photograph of an enrolled finger can result in a false recognition. The image needs to be of high contrast and have a resolution equivalent to the sensor's (typically 300 to 500 pixels per inch), but those are relatively easy to acquire and reproduce. Lifting a fingerprint from another surface, or even taking a photo of someone’s exposed fingertips with a megapixel camera, can provide the basis for a suitable image.
The other scanner types cannot be fooled by a simple 2D image, but they can often be fooled by a 3D one. As with the optical fake, you first need an image of the fingerprint to be counterfeited. Once you have that image, however, there are many ways to craft a 3D copy. Mapping the image into a 3D model allows use of a 3D printer to create the fake. A skilled artist can sculpt one. Or techniques like those used in creating a PCB can be used to etch a fake fingerprint into a board.
Unlike the optical image, however, the nature of the signals involved in these other scanner technologies means that more than just the pattern of ridges and valleys must be replicated. The electrical, thermal, or sonic characteristics must also be sufficiently mimicked. This typically requires using the fingerprint image (or, better yet, the original finger) to create a negative mold and casting a fake out of suitable material. Researchers have found that things like silicone, playdough, and even the material used to make gummy bears have been used to defeat scanners. No one material seems to work on all scanners, but all scanners so far have proven susceptible to at least one material.
Vendors and researchers are actively looking to reduce these vulnerabilities, however. One approach that they are taking is to include in the assessment both the accuracy of the fingerprint being presented and its “liveness.” Living fingers have subtle features such as temperature and a pulse that are difficult to replicate with a static model. A fake fingertip overlay (like a thimble) on a living finger might defeat some of these techniques, though.
And if the sensor cannot be fooled, perhaps the database used for comparison can, if the biometrics database is not properly encrypted. Technically savvy hackers can retrieve a biometric template from the sensor's database, maliciously change the digital codes in the template, reconstruct a fingerprint from the template, and return the altered template to the database. This can then allow recognition without needing a fake fingerprint on the sensor.
A better solution, then, would be to develop new technologies that would detect hacker attacks against any type of fingerprint sensors. According to Chris Boehnen, senior program manager at the Intelligence Advanced Research Activity (IARPA), the Odin program that is set up to start in early March 2017 aims to develop just such technologies. Four prime developers will be working together to develop detection technologies that would sense “presentation” attacks on biometric devices such as those described here.
In the meantime, those planning on using fingerprint detection to provide an easy method for secure access to their equipment and data should beware. The number of vulnerabilities that sensors exhibit mean that fingerprints alone may not provide a high enough level of security.
Advertisement
Learn more about Electronic Products Magazine
