Your fingerprint scanner isn’t as secure as you think!
Manufacturers need to add just one more feature to make you truly safe
The headline is not clickbait. It’s not been framed to get you all frightened, get you to read the column and then give you some superfluous wishy-washy stats about your mobile phone security. This is a real problem with real world consequences. Pay attention, as I may ask questions later.
Super convenient, but...
The fingerprint scanner has changed the world. It unlocks your phone/tablet/laptop in a microsecond, you can do it without even looking at the screen, no password to key in, it can now get you into your car (the very expensive ones till now), your office, an executive bathroom, mark your attendance, pay your bills and make a credit card payment on your device without any other input. Super convenient and game changing, right? Also, very insecure and creates a huge gaping security hole!
For centuries, we’ve been told that our fingerprint is unique and foolproof. A single fingerprint isn’t just about the loops, arches, and ridge endings but also about the location of each part of it. That’s what makes it unique and that’s why it’s been the weapon of choice for documents, security and crime-solving for centuries. It’s also why the fingerprint scanner gives us such comfort when we use it. It’s wired to our unique fingerprint, thus can’t be broken into. Unfortunately, that’s not true. While our fingerprint is quite unique, the scanner reading our fingerprint can be quite a piece of junk.
A single fingerprint isn’t just about the loops, arches, and ridge endings but also about the location of each part of it. That’s what makes it unique .
Most of these scanners, especially those on phones and laptops, are very small and thus can only read a small part of your full fingerprint. That’s why you have to keep pressing your finger repeatedly on the scanner when you input your fingerprint the first time. Typically, most phone scanners take about six to 10 images. But to unlock your phone it needs to match only one of those stored images and thus can lead to a false positive quite easily. This is done to give you that awesome microsecond response time that makes it so convenient. To really give you much tighter security, the phone scanner needs to be much bigger, take full images of your fingerprint with no misses, needs a good five to seven minutes to set up a single fingerprint, and needs you to put your finger against the scanner multiple times to open up your phone. Catch any phone brand wanting to do that, and any consumer using a fingerprint scanner as a ‘convenient’ way to open their phone doing that.
Because of this major flaw in the way a fingerprint scanner works, it’s not difficult to fool it. Multiple studies have been done where a master-print (think of it as a master-key that opens all hotel doors) has been able to open a majority of phones. Researchers at New York University and Michigan State University were able to get into about 50 per cent of the phones without the owners’ fingerprints being used. Not exactly the stuff that security dreams are made of.
Imagine a master glove being sold on Amazon and Flipkart for Rs 99 that could get into 50 per cent of all phones around you. What a great party trick that would be. Others have been able to do it with a partial print lifted off a glass or mug, recreated using a cheap fingerprint kit and tape.
Most scanners, especially those on phones and laptops, are very small and thus can only read a small part of the full fingerprint
There are newer pieces of technology coming in with much larger scanners, ultra sound technology as well as lasers as part of the scanner, but these are far away from being launched, and expensive. Thus not a current solution for what you’re doing with your phone and those planning to break into it.
And for all of those that think the way out of this is to use Face Unlock, well, wait for my column on that very soon. It may be even more insecure.
I’m not going to end by telling you to stop using the fingerprint scanner on your phone (you won’t do it). What I will do is ask all phone manufacturers to add one additional security option for us all. The need to input a four digit pin if the phone hasn’t been used for 30 minutes. Slightly inconvenient, but massively secure.
Rajiv Makhni is managing editor, Technology, NDTV, and the anchor of Gadget Guru, Cell Guru and Newsnet 3
Techilicious appears every fortnight
From HT Brunch, September 2, 2018
Follow us on twitter.com/HTBrunch
Connect with us on facebook.com/hindustantimesbrunch
First Published: Sep 01, 2018 19:44:02