New York University researchers have developed a group of master fingerprint keys which can be utilized to imitate biometric recognition systems.
The databank of fingerprints utilized by the experts had the possibility of inaccurately matching with an arbitrary fingerprint one out of 1000 times, whereas, the developed master keys had the chance of inaccurate matching one out five times.
Pre-print server ArXiv has published their paper. The paper verifies that fingerprints can be artificially developed by machine learning and utilized to trick databanks secured by fingerprint authentication.
This is shocking as rising number of devices, and wide-scale databanks like India’s Aadhar, utilize digital fingerprinting to distinctively recognize clients – and could possibly be under attack by identity thieves through such ‘master key’ fingerprints.
Last year, a published survey by Counterpoint Research showed that over 50 percent of smartphones shipped had fingerprint sensors, and forecasted that this number would rise to 71 percent by the end of 2018.
The issue is that these sensors acquire only fractional pictures of consumer’s fingerprints – at their contact points with the scanner. The paper observed that fractional prints are not as unique as full prints, the possibility of one fractional print matching another is high.
The researchers called the artificially generated prints as “DeepMasterPrints”. They benefit from the above-mentioned weakness to accurately spoof one in five fingerprints in a databank. The databank was initially supposed to have false only one false result in a thousand.
Researchers exploited another weakness which was the high frequency of some natural fingerprint attributes like loops and whorls, when contrasted with other. The experts developed some prints which had several of these common attributes. They learned that these artificial prints had more chances of matching with other prints than what was normally possible. With these most-repeated attributes, the neural networks also created fake prints that credibly were like an actual fingerprint.
The DeepMasterPrints can be utilized to imitate a scheme that needs fingerprint authentication without really needing any info about the user’s fingerprints. The paper observes about uses of fake prints:
“Therefore, they can be used to launch a dictionary attack against a specific subject that can compromise the security of a fingerprint-based recognition system.”
A cybersecurity columnist and expert, Mikko Hypponen, wrote on Twitter:
“Interesting research on creating synthetic fingerprints that can match a large number of real fingerprints. These would be Master Prints, just like we have Master Keys for locks”
Now, it will be exciting to see whether this method of utilizing common biometric attributes can be utilized to imitate more kinds of systems like iris scanners.
One more matter to look into is the security of public databanks that trust biometric scanners for safety. Friendly neighborhood thief is not likely to create such master prints to get info from user’s phone. But wide-scale databanks like those utilized by governments to ID citizens could possibly be imitated by determined criminals – Aadhar.