Most of us consider the Touch ID sensor on our iPhone and iPad to be very secure and it actually is. Touch ID makes our lives is easier by not only allowing us to unlock our devices but also make purchases, secure notes, download apps from the App Store and more. However a new research conducted by New York University and Michigan State University has found a way to fool the fingerprint sensors on our smartphones.
The researchers were able to create fake fingerprints digitally composed of features commonly found on human fingerprints. The fake prints dubbed as MasterPrints, which were developed in computer simulations were able to match real prints similar to the ones used by smartphone fingerprint sensors 65% of the time. This of course was done in computer simulations and the research was not done on real phones. The security experts note that real world success rates of digitally created fake prints would be much lower than the 65% success rate from the simulations.
The problem arises due to the small size of fingerprint sensors found on iPhone and many Android devices. While the full human fingerprint is hard to falsify, the fingerprint scanners on most devices are small so they record a portion of the finger and matches that portion with previously recorded data to authenticate each scan. The phones store several images of the fingerprint from different angles during the set up process. When authenticating a fingerprint scan the scan only has to match one of the stored images to be successful.
Dr. Memon said their findings indicated that if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 to 50 percent of iPhones within the five tries allowed before the phone demands the numeric password, known as a personal identification number.
When Apple was asked about this research the company noted that the chance of iPhone falling victim to a false match attack was 1 in 50,000 with one fingerprint enrolled. The company says that it has incorporated security features to prevent false matches on iPhone’s Touch ID sensor. The fact that Apple does not give anyone access to fingerprint images stored on the device also makes the system less vulnerable.
While this study has not proven that fingerprint technology used on smartphones, tablets and now computers is insecure however it has revealed that they are vulnerable if attackers are able to create perfect circumstances.