Here’s a warning we never thought we’d have to give: when you’re in an audio or video call on your phone, avoid the temptation to doomscroll or use an app that requires a lot of swiping. Doing so just might save you from getting your identity stolen through the most improbable vector imaginable — by listening to the sound your fingerprints make on the phone’s screen (PDF).
Now, we love a good side-channel attack as much as anyone, and we’ve covered a lot of them over the years. But things like exfiltrating data by blinking hard drive lights or turning GPUs into radio transmitters always seemed a little far-fetched to be the basis of a field-practical exploit. But PrintListener, as [Man Zhou] et al dub their experimental system, seems much more feasible, even if it requires a ton of complex math and some AI help. At the heart of the attack are the nearly imperceptible sounds caused by friction between a user’s fingerprints and the glass screen on the phone. These sounds are recorded along with whatever else is going on at the time, such as a video conference or an online gaming session. The recordings are preprocessed to remove background noise and subjected to spectral analysis, which is sensitive enough to detect the whorls, loops, and arches of the unsuspecting user’s finger.
Once fingerprint patterns have been extracted, they’re used to synthesize a set of five similar fingerprints using MasterPrint, a generative adversarial network (GAN). MasterPrint can generate fingerprints that can unlock phones all by itself, but seeding the process with patterns from a specific user increases the odds of success. The researchers claim they can defeat Automatic Fingerprint Identification System (AFIS) readers between 9% and 30% of the time using PrintListener — not fabulous performance, but still pretty scary given how new this is.
Despite the rigorous process controls for factories, anyone who has worked on hardware can tell you that parts may look identical but are not the same. Everything from silicon defects to microscopic variations in materials can cause profoundly head-scratching effects. Perhaps one particular unit heats up faster or locks up when executing a specific sequence of instructions and we throw our hands up, saying it’s just a fact of life. But what if instead of rejecting differences that fall outside a narrow range, we could exploit those tiny differences?
This is where physically unclonable functions (PUF) come in. A PUF is a bit of hardware that returns a value given an input, but each bit of hardware has different results despite being the same design. This often relies on silicon microstructure imperfections. Even physically uncapping the device and inspecting it, it would be incredibly difficult to reproduce the same imperfections exactly. PUFs should be like the ideal version of a fingerprint: unique and unforgeable.
Because they depend on manufacturing artifacts, there is a certain unpredictability, and deciding just what features to look at is crucial. The PUF needs to be deterministic and produce the same value for a given specific input. This means that temperature, age, power supply fluctuations, and radiation all cause variations and need to be hardened against. Several techniques such as voting, error correction, or fuzzy extraction are used but each comes with trade-offs regarding power and space requirements. Many of the fluctuations such as aging and temperature are linear or well-understood and can be easily compensated for.
Broadly speaking, there are two types of PUFs: weak and strong. Weak offers only a few responses and are focused on key generation. The key is then fed into more traditional cryptography, which means it needs to produce exactly the same output every time. Strong PUFs have exponential Challenge-Response Pairs and are used for authenticating. While strong PUFs still have some error-correcting they might be queried fifty times and it has to pass at least 95% of the queries to be considered authenticated, allowing for some error. Continue reading “PUF Away For Hardware Fingerprinting”→
Biometrics — like using your fingerprint as a password — is certainly convenient and are pretty commonplace on phones and laptops these days. While their overall security could be a problem, they certainly fit the bill to keep casual intruders out of your system. [Lewis Barclay] had some sensors gathering dust and decided to interface them to his Home Assistant setup using an ESP chip and MQTT.
You can see the device working in the video below. The code is on GitHub, and the only thing we worried about was the overall security. Of course, the security of fingerprint scanners is debatable since you hear stories about people lifting fingerprints with tape and glue, but even beyond that, if you were on the network, it would seem like you could sniff and fake fingerprint messages via MQTT. Depending on your security goals, that might not be a big deal and, of course, that assumes someone could compromise your network to start with.
When it comes to safes, mechanical design and physical layout are just as important as the electronic bits. If care isn’t taken, one element can undermine the other. That appears to be the case with this Amazon Basics branded biometric pistol safe. Because of the mechanical design, the fingerprint sensor can be overridden with nothing more than a thin piece of metal — no melted gummi bears and fingerprint impressions involved.
[LockPickingLawyer] has a reputation for exposing the lunacy of poorly-designed locks of all kinds and begins this short video (embedded below) by stating that when attempting to bypass the security of a device like this, he would normally focus on the mechanical lock. But in this case, it’s far more straightforward to simply subvert the fingerprint registration.
This is how it works: the back of the front panel (which is inside the safe) has a small button. When this button is pressed, the device will be instructed to register a new fingerprint. The security of that system depends on this button being inaccessible while the safe is closed. Unfortunately it’s placed poorly and all it takes is a thin piece of metal slid through the thin opening between the door and the rest of the safe. One press, and the (closed) safe is instructed to register and trust a new fingerprint. After that, the safe can be opened in the usual way.
It’s possible that a pistol being present in the safe might get in the way of inserting a metal shim to hit the button, but it doesn’t look like it. A metal lip in the frame, or recessing the reset button could prevent this attack. The sensor could also be instructed to reject reprogramming while the door is closed. In any case, this is a great demonstration of how design elements can affect one another, and have a security impact in the process.
Biometrics have often been used as a form of access control. While this was initially limited to bank vaults in Hollywood movies, it’s now common to see such features on many laptops and smartphones. Despite the laundry list of reasons why this is a bad idea, the technology continues to grow in popularity. [darkshark] has shown us an easy exploit, using a 3D printer to fool the Galaxy S10’s fingerprint scanner.
The Galaxy S10 is interesting for its use of an ultrasonic fingerprint sensor, which continues to push to hardware development of phones minimal-to-no bezels by placing the sensor below the screen. The sensor is looking for the depth of the ridges of your fingerprint, while the touchscreen verifies the capacitive presence of your meaty digit. This hack satisfies both of those checks.
[darkshark] starts with a photograph of a fingerprint on a wineglass. This is then manipulated in Photoshop, before being used to create geometry in 3DSMAX to replicate the original finger. After making the part on an AnyCubic Photon LCD resin printer, the faux-finger pad is able to successfully unlock the phone by placing the print on the glass and touching your finger on top of it.ster
[darkshark] notes that the fingerprint was harvested at close range, but a camera with the right lenses could capture similar detail at a distance. The other thing to note is that if your phone is stolen, it’s likely covered in greasy fingerprints anyway. As usual, it serves as an excellent reminder that fingerprints are not passwords, and should not be treated as such. If you need to brush up on the fundamentals, we’ve got a great primer on how fingerprint scanners work, and another on why using fingerprints for security is a bad plan.
We wouldn’t mind tearing down a fingerprint scanner, but we hate to bust up our expensive laptop or cell phone. [Julian], however, got a hold of a fingerprint scanning padlock and was willing to tear it apart for our benefit. The video appears below.
The padlock is a simple enough little device with a cable lock instead of a solid metal shackle, although we have seen similar devices with traditional shackles. Initially, the lock’s fingerprint storage is empty and it will open for any fingerprint. The first task is to set an administrator fingerprint. You’ll need that fingerprint to set up other fingerprints or to reset the unit. Of course, what we are really interested in is what’s inside.
In 2008, the then German interior minister, [Wolfgang Schäuble] had his fingerprint reproduced by members of the German Chaos Computer Club, or CCC, and published on a piece of plastic film distributed with their magazine. [Schäuble] was a keen proponent of mass gathering of biometric information by the state, and his widely circulated fingerprint lifted from a water glass served as an effective demonstration against the supposed infallibility of biometric information.
It was reported at the time that the plastic [Schäuble] fingerprint could fool the commercial scanners of the day, including those used by the German passport agency, and the episode caused significant embarrassment to the politician. The idea of “spoofing” a fingerprint would completely undermine the plans for biometric data collection that were a significant policy feature for several European governments of the day.
It is interesting then to read a paper from Michigan State University, “RaspiReader: An Open Source Fingerprint Reader Facilitating Spoof Detection” (PDF downloadable from the linked page) by [Joshua J. Engelsma], [Kai Cao], and [Anil K. Jain] investigates the mechanism of an optical fingerprint reader and presents a design using the ever-popular Raspberry Pi that attempts to detect and defeat attempts at spoofing. For the uninitiated is serves as a fascinating primer on FTIR (Frustrated Total Internal Reflection) photography of fingerprints, and describes their technique combining it with a conventional image to detect spoofing. Best of all, the whole thing is open-source, meaning that you too can try building one yourself.