Revenge of the Gummi Finger - Pointing at the Wrong Target

I'll leave it to biometrics companies to defend fingerprints in general (there are arguments on grounds of reliability, cost etc that carry some weight) and save my own opinions on biometrics as credentials for another day.
|

Security researchers love biometrics. They're so badly misunderstood and misreported that there are endless ways of 'breaking' them and making a big splash about how useless they are, and how foolish the device makers are for using them. The latest in this long line is the news that a few short hours after the release of the Samsung Galaxy S5 with fingerprint unlock, researchers had found a way of spoofing access using a cloned fingerprint made (mostly) of hot glue.

The story is a familiar one (indeed the researchers re-used fake fingers from an earlier attack on the iPhone 5S fingerprint sensor): Find a good quality print of the person you're targeting (from a pint glass, or the idle touch of a shop window), take a copy of it (either the old-fashioned way or with a half-decent digital camera) and then make a fake finger out of hot glue, latex, or melted-down Gummi bears. If the fake finger is good enough, which they often are, then it will pass the swipe test and unlock the device.

I'll leave it to biometrics companies to defend fingerprints in general (there are arguments on grounds of reliability, cost etc that carry some weight) and save my own opinions on biometrics as credentials for another day. However, something much more fundamental arises here which seems to be missing from the bulk of the noise around this. The fingerprint is not passed across the Internet.

In the Bad Old Days of the Internet (ie. right now) people access their various accounts with a username and password passed across the web. We all know how well that worked out for us.

But with this new fingerprint unlock system, the password is replaced by a cryptographic key locked inside the device, so the usual threat of someone stealing your password from a phishing attack or database breach I repeat, this is a huge step forward for online security. Fingerprints themselves aren't great, but you have to look at the system as a whole to decide if it's 'safe'.

Think about this: many people are already susceptible the 'Gummi finger' attack already. Do you always wipe the grease smears off your screen after entering a pattern or PIN unlock? Do you even have a PIN at all?

And who is most likely to physically take your phone and log into it? Most likely a curious spouse, a bored child, or a mischievous friend, all of which can probably steal your password by looking over your shoulder anyway if they really want to. And once they've got in, how many of your apps are individually locked and have their passwords cleared?

I'm guessing not many.

Feel glad if you're interesting enough for someone to target you, steal your phone, and clone your finger. You're clearly very special. And feel foolish if you are that special and you haven't taken additional steps to protect your data.

So could this be done better with login attempt lock-outs, and optional second password?

Yes, for sure. With different services relying on the fingerprint for login (PayPal is first, but there will be others) there needs to be a stronger set of choices so we can take our security stance.

But is it the end of the world? No. Is the fingerprint feature useless? No. A concerted physical fake-finger attack on your phone is considerably less worrying than a mass theft and use of password credentials executed halfway across the globe.

Personally, I'm quite glad that Gummi fingers work on consumer-grade kit like mobile phones. If someone wants to impersonate you that badly then it's better they steal a fake finger than the real thing!