Published in News

Fake fingerprints take down security

by on09 April 2020

They can do it 80 percent of the time

If you are determined enough to make a fake fingerprint of a phone, you can unlock it 80 percent of the time, according to a new Talos security study.

The Talos study shows how researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints bypassed sensors at least 80 percent of the time.

This was based on 20 goes for each device with the best fake fingerprint the researchers were able to create.

The Tame Apple Press is quick to point out that their favourite company is in the clear because although it was just as easy to knock over an Apple, the results required several months of painstaking work, with more than 50 fingerprint moulds created before getting one to work.

Talos researchers Paul Rascagneres and Vitor Ventura wrote. “This level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking.”

The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.

Five laptop models running Windows 10 and two USB drives—the Verbatim Fingerprint Secure and the Lexar Jumpdrive F35—performed the best, with researchers achieving a zero percent success rate.

The reason for the better results from the Windows 10 machines, the researchers said, is that the comparison algorithm for all of them resided in the OS, and therefore the result was shared among all platforms. The researchers cautioned against concluding that the zero success-rate for Windows 10 devices and the USB drives meant they were safer.

A Samsung A70—also attained a zero percent failure rate, but researchers attributed this to the difficulty getting authentication to work even when it received input from real fingerprints that had been enrolled.

Last modified on 09 April 2020
Rate this item
(0 votes)

Read more about: