Your phone’s biggest vulnerability is your fingerprint

May 3, 2016 | Russell Brandom from The Verge

Can we still use fingerprint logins in the age of mass biometric databases?

In five minutes, a single person faked a fingerprint and broke into my phone. It was simple, a trick the biometrics firm Vkansee has been playing at trade shows for months now. All it took was some dental mold to take a cast, some play-dough to fill it, and then a little trial and error to line up the play-dough on the fingerprint reader. We did it twice with the same print: once on an iPhone 6 and once on a Galaxy S6 Edge. As hacks go, it ranks just a little harder than steaming open a letter.

Of course, this particular method only works if you have help from the person whose fingerprint you need — and even then, it’s not a foolproof system. As luck would have it, my own fingertips turned out to be too smooth to leave an impression, so we had to rely on our director Phil Esposito, who had his thumb successfully molded and used it to unlock both phones.

It’s also one of the more primitive ways to bypass a fingerprint scanner. I’ve seen researchers at CITER pull off a similar trick with a 3D-printed mold, developed from a stored image rather than a real finger. If the mold is filled with rubber, you can wear that print permanently, and fool any reader small enough to fit on a smartphone. At the CCC conference in 2014, a security researcher called Starbug used those techniques to construct a working model of the German defense minister’s fingerprint, based on a high-res photograph of the minister’s hand.

It’s a good trick, and one that should make us a little bit nervous. Fingerprint readers are now an essential part of a modern smartphone, and in most cases, they make apps more secure. Most biometric readers work with isolated hardware and a zero-knowledge proof, so capturing the data in-transit isn’t enough to spoof a login. If you’re going to break in, you need the fingerprint itself. The bad news is, fingerprints can still be stolen — and unlike a passcode, you can’t change your fingerprint, so a single credential theft creates a lifetime vulnerability. What looks like a security upgrade turns out to be something much more complex.

That’s particularly true in the wake of the San Bernardino case, which saw government agents working to unlock an iPhone linked to a mass shooting. As it happens, the iPhone in question was a 5C — the last iPhone made without a fingerprint reader. But if a more recent phone had been keyed to Farook’s fingerprint, it would have been trivial for investigators to break in. As a number of morbid commentators pointed out at the time, the FBI had possession of Farook’s corpse, so they could have simply taken the phone to the morgue and placed his finger on the TouchID pad.

That’s even possible when the subject is still alive and uncooperative. A recent case in Los Angeles saw a judge issuing a warrant to force a woman’s finger onto a seized phone for the purposes of unlocking it, following her conviction for identity theft.

If that woman had been in one of the federal government’s growing databases, the warrant might not have been necessary. 3D-printed molds let any fingerprint image be transformed into a working model of that print, and police have a growing number of images to choose from. Homeland Security policy is to collect fingerprints from non-US citizens between the age of 14 and 79 as they enter the country, along with a growing number of fingerprints taken from undocumented immigrants apprehended by Customs and Border Patrol. The FBI maintains a separate IAFIS database with over 100 million fingerprint records, including 34 million “civil prints” that are not tied to a criminal file. The Department of Defense maintains a third database with yet more fingerprints collected by military officers around the world. Those records are typically used for verification, but once collected, there’s no reason they couldn’t be used to trigger a fingerprint reader, too.

As collection becomes more common, fingerprints may become one more form of easily leaked data, alongside passwords, credit cards, and social security numbers. We’ve already seen it happen when the OPM breach compromised the fingerprints of 14 million federal workers. That same credential theft can happen at a smaller scale, as criminals pull fingerprints off furniture or even from high-resolution photos. For a determined attacker, a fingerprint is easier to steal than a password: it’s visible on your body at all times, and you give it away every time you touch a flat surface. It’s still rare for a criminal to take that much trouble, but it could become more common we rely on fingerprints for more logins. And once someone has an image of the print, making a model is trivial. 3D printers are easy to find, and a few security experts have already figured out other methods for faking a print.

Even with fingerprint readers on most phones, biometrics are still a long way from becoming the primary way into our devices. Analysts estimate less than 15 percent of iPhone logins happen through the TouchID sensor, and many phones simply won’t have the user’s fingerprint onboard. For those phones, the government’s stockpile of fingerprints is effectively useless. But for users that have logged their fingerprint, it gives police an easy way in. As the Los Angeles case shows, the government is beginning to take full advantage of that opening.

That’s not just a problem for criminals, but for biometrics in general. As long as federal agencies are collecting fingerprints in bulk, they’ll never be private, which means they’ll never be truly secure. Once it’s been collected, it can be revealed in a breach, as the OPM hack showed. For anyone hoping fingerprint readers would usher in a new era of mobile security, that’s terrible news. The new spotlight on San Bernardino and lockscreen protections only drives home the point. A fingerprint can be a personal password or it can be a government ID, but it can’t be both. In this case, the government may have already chosen for us.