Two Michigan State University researchers have used normal off-the-shelf inkjet printers to show how fingerprint readers on popular smartphone models can be tricked into unlocking the devices by using fingerprint copies made with special printer inks.
The experiments, conducted by researchers Kai Cao and Anil K. Jain of the Department of Computer Science and Engineering at Michigan State University (MSU), found that several popular phone models, including the Samsung Galaxy S6 and Huawei Honor 7, could be tricked into being unlocked using this method.
Their work was detailed in a research paper, “Hacking Mobile Phones Using 2D Printed Fingerprints,” that was published on Feb. 19.
The use of fingerprint readers has become prevalent in many available smartphones such as late model Apple iPhones, Samsung Galaxy devices, the HTC One Max and others, but the technology has not been thoroughly vetted against such attacks by hackers, they wrote.
“It has been forecasted that 50 percent of smartphones sold by 2019 will have an embedded fingerprint sensor,” they wrote. “With the introduction of Apple Pay, Samsung Pay and Android Pay, fingerprint recognition on mobile devices is leveraged for more than just device unlock; it can also be used for secure mobile payment and other transactions.”
Despite this “growing usage and claimed security of fingerprint recognition for mobile unlock and payment, spoofing attacks on the embedded fingerprint systems have not been investigated in detail,” the researchers wrote. “Spoofing refers to the process where the fingerprint image is acquired from a fake finger (or gummy finger) rather than a live finger.”
Other researchers have also looked at this issue, including Germany’s Chaos Computer Club, which used a fingerprint lifted off a glass surface to make a copy that was used to break into a device, the paper reported.
To prove their conclusions, the MSU researchers used a Brother MFC-J5910DW inkjet printer that was loaded with three AgIC4 silver conductive ink cartridges and a normal black ink cartridge, according to their research paper. A fingerprint of a phone’s authorized user was then scanned at 300 dpi or higher resolution and was then reversed or mirrored before being printed onto the glossy side of a piece of AgIC special paper.
“Once the printed 2D fingerprints are ready, we can then use them for spoofing mobile phones,” the paper continued.
Using the test Samsung Galaxy S6 and Huawei Honor 7 phones, the researchers “enrolled the left index finger of one of the authors [of the study] and used the printed 2D fingerprint of this left index finger to unlock the fingerprint recognition systems in these phones,” the paper states. The spoofed fingerprint was able to successfully unlock both the Samsung Galaxy S6 and Huawei Honor 7 phones.
Additional tests confirmed the original results. “We tried several fingers of different subjects and all of them can successfully hack these two phones,” the paper states. “But [the] Huawei Honor 7 is slightly more difficult to hack (more attempts may be required) than [the] Samsung Galaxy S6.”
The research, they concluded, “further confirms the urgent need for anti-spoofing techniques for fingerprint recognition systems, especially for mobile devices, which are being increasingly used for unlocking the phone and for payment.”
At the same time, they wrote, “it should be noted that not all the mobile phones can be hacked using the proposed method. As the phone manufactures develop better anti-spoofing techniques, the proposed method may not work for the new models of mobile phones. However, it is only a matter of time before hackers develop improved hacking strategies, not just for fingerprints but other biometric traits as well that are being adopted for mobile phones (e.g., face, iris and voice).”
Fingerprint security methods are being used by more businesses today. In February, MasterCard announced that it is planning to launch fingerprint and selfie biometric identification options for customers in the United States and in other parts of the world this summer as it finds that users are comfortable and confident with the technology, according to an earlier eWEEK story.
The expansion of the program, which began last July as a trial project to see how consumers would respond to the use of selfies and fingerprints to replace passwords for their online purchases comes after a large test was conducted in Amsterdam involving some 750 users over six months. With the success of the Dutch tests, MasterCard said it will be launching selfie and fingerprint biometric identification technologies for online purchases in the United States, Canada and parts of Europe in the summer of 2016.