Fusion reports:
A man was murdered, and the police think there might be clues to who murdered him stored in his phone. But they can’t get access to the phone without his fingerprint or passcode. So instead of asking the company that made the phone to grant them access, they’re going another route: having the Jain lab create a 3D printed replica of the victim’s fingers. With them, they hope to unlock the phone.
The numerous media reports I’ve read about this case don’t mention what type of smartphone the police are trying to break into, but my hunch is that it’s an Android.
There are some big differences between how iOS and Android devices implement fingerprint authentication, and some of the design decisions Apple made make the scenario described above highly unlikely.
For instance, an iPhone or iPad will time out the fingerprint sensor every time the device is restarted or after 48 hours of inactivity, requiring you to enter your passcode instead.
However, on Android 4.4 – 5.1.1 the fingerprint unlock *never* expires. Even with Android 6.0 Marshmallow, which adds an official fingerprint authentication API for the first time, I don’t believe there are any set requirements for when the fingerprint unlock should expire.
It seems to me that fingerprint security has been pretty sloppy generally on Android, with some smartphones even storing unencrypted images of users’ fingerprints in a non-protected folder.
Why not just use the dead guys finger?
Is anyone else worried about the security and privacy implications of the rise in the use of biometric authentication?
In the example above, the phone's designers make the assumption that a real finger is required for successful log-on. But the story above of police copying a fingerprint isn't the first time this has been done – a number of similar schemes have been successfully demonstrated defeating fingerprint readers. And, crucially, once your fingerprint has been stolen and copied, YOU CAN'T CHANGE IT – ever! That gives a whole new, frightening meaning to the term 'identity theft'.
At their most basic, encryption systems rely on having an algorithm – the methodology by which the data is encrypted (like the workings of a particular model of lock on your door), and a changeable key – a unique 'tweak' to the algorithm (like the key to that lock). The security of the system depends on the combination of algorithm and key. Normally, it's accepted that ultimately the algorithm will become public (even if it starts off secret), and therefore the security lies principally with the key. If the key is stolen or discovered, then anything protected by it is compromised, but at least you can change it and the security of the system going forwards remains protected.
As I see it, in biometric authentication systems, the 'algorithm' is the knowledge of how to read a fingerprint (or whatever) – and in the case of an attacker, copy it successfully and economically, and the 'key' is the individual fingerprint (or whatever). But we leave fingerprints everywhere, so the key is not secure. And IT'S NOT CHANGEABLE! That puts ALL the security back with the algorithm – i.e., the security of the system depends entirely on the hardware difficulty of creating a working copy fingerprint. And it's already been done – the only step remaining being how to do it reliably, quickly and cheaply.
The same argument can be used with any biometric authentication system – basically, I believe if it can be read, then (ultimately) it can be copied. I'd be really pleased if someone could convince me I'm talking nonsense, but I don't think I am. And, for the moment, the day my bank requires me to submit a fingerprint to log on will be the day I change bank.
Comments?
[Originally posted on one of the referenced pages.]
Sounds like you would appreciate my video, "Fingerprints are not the same as passwords"
https://grahamcluley.com/video-fingerprints-passwords/
So you agree with me that it's a problem :( . So why are so many systems going down the route of biometric authentication? What can we do to discourage it? I don't believe saying these systems must secure the fingerprint (or whatever) data securely is enough – it's a start, but that some of these systems wil ultimately get hacked (even if 'properly' secured) is an absolute CERTAINTY.
I have an Android, version 6.0.1. Looking at the Settings/Lock screen and security/Screen lock type/Fingerprints, it says "To use your fingerprints to unlock your device, you must set a pattern, PIN, or password. Remember it, as you will need to use it when: -The device has been restarted. -The device has not been used for more than 24 hours." If they haven't already used the fingerprint to get into the phone, their 24 hours is probably up by now.
Biometrics are meant to be used in conjunction with other factors of authentication, not on their own. Minimum 2FA (not 2-step!) should use a combo of Bio+password (or PIN) or BIO+token, or token+PW/PIN etc. Best would be 3FA using something you have (Token) something you know (PW/PIN) something you are (iris, fingerprint, face recog, etc) and now we have somewhere you ARE (IP address, LTE location etc).