Many handheld smart devices use fingerprint scanners as the prime enabler of security. There is an ongoing debate among mobile phone experts about which is the best way to secure a phone — a fingerprint scanner or a simple PIN. There are already many naysayers when it comes to using a fingerprint scanner.
For example, a group at the Michigan State University conducted an experiment with 300 dpi scan of a fingerprint and made a print of it with ink on glossy paper. They used this to successfully trick a fingerprint scanner of the popular Samsung Galaxy S6 phone. On the other hand, cracking a PIN isn’t really that difficult — what with access to brute force methods and other tricks.
The debate of smartphone safety has taken a dramatic turn with the introduction of Face ID by Apple in iPhone X. “Nothing has ever been simpler, more natural and effortless,” remarked Phil Schiller, Apple’s senior vice president of worldwide marketing. “Face ID is the future of how we unlock our smartphones and protect our sensitive information.”
While the debate still rages, there is a new dent in the reputation of fingerprint scanners. Researchers from the University of Michigan have developed something close to an AI master key that can unlock many modern smartphone devices.
Break Into Any Phone
Researchers from the University of Michigan have published a research paper called DeepMasterPrints: Generating MasterPrints for Dictionary Attacks via Latent in which they outline an AI system that could potentially break into many of the modern smartphones by bypassing and tricking the fingerprint scanner. What they strive to build is a “masterprint”.
A Masterprint is a real or synthetic fingerprint that has the ability to match with a large number of fingerprints. It, therefore, has the potential to breach numerous smartphones. The researchers have developed such a Masterprint using deep learning called, DeepMasterPrints. The accuracy of DeepMasterPrints has been found to be much better than other available methods and tools.
“A similar setup to ours could be used for nefarious purposes, but it would likely not have the success rate we reported unless they optimized it for a smartphone system,” lead researcher Philip Bontrager, who works at the prestigious New York University’s Tandon School Of Engineering told a tech publication.
To design a Masterprint, one needs the final product to cover the space of all fingerprints. Generative Adversarial Networks (GANs) can be used to generate synthetic fingerprints but they are believed to be inherently unstable. The researchers hence developed a technique where they use a traditional neural network to learn to generate images of fingerprints. This is followed by evolutionary optimisation to search for the latent variable space to find the input space of the trained neural network for the ideal fingerprint image. Hence the technique makes use of both advanced evolutionary optimization methods and generative neural networks.
The researchers in the research paper state, “At a 1% false match rate, the generated DeepMasterPrints can spoof 77% of the subjects in the dataset.”
The paper successfully tested the technique of searching latent space of a generator network for images or text, which meet a given objective. The researchers feel that the techniques used in this project can be exploited for other tasks in computational creativity domain. They said, “This idea is surprisingly under-explored and could be useful in computational creativity research as well as other security domains.”
The result of the method used is that the DeepMasterPrints are more successful than counterpart methods in matching against fingerprints pertaining to a large number of several identities. The method has also resulted in generating complete images which can be used in many security applications. Experiments show that the method invented by the researchers is robust and not dependent on artefacts of any particular fingerprint matcher and dataset.
The choice of datasets was also an important decision in the whole setup. The rolled fingerprint dataset came from the publicly available NIST Special Database 9 fingerprint dataset which contains 10 fingerprints of 5,400 unique persons, where each fingerprint is an 8-bit grayscale image. The capacitive images come from the FingerPass DB7 dataset which has 12 partial fingerprints which are of size 144 × 144 pixels at a resolution of 500 dpi.
Assessing vulnerabilities and fixing them is always an ongoing process. The research done by the NYU researchers sheds light on some vulnerabilities that can be exploited quite easily by smart hackers. Hence the best thing to do is to shed some limelight on these vulnerabilities so many companies are encouraged to solve them.
The researchers say there are two important things that can be learnt by designers to secure a system:
- They can learn the immediate threat level and risks
- They can get a concrete attack vector to protect against
Lead researcher, Bontrager told a tech publication, “Without verifying that a biometric comes from a real person, a lot of these adversarial attacks become possible. The real hope of work like this is to push toward liveness detection in the biometric sensor.”