SoylentNews is people
SoylentNews
Attackers can bypass fingerprint authentication with an ~80% success rate:
Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.
A study published on Wednesday by Cisco's Talos security group makes clear that the alternative isn't suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.
The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries.
Tuesday's report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obtaining a clean image of a target's fingerprint and then getting physical access to the target's device—meant that only the most determined and capable adversaries would succeed.
"Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking," Talos researchers Paul Rascagneres and Vitor Ventura wrote. "The results show fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication."
(Score: 1) by leon_the_cat on Saturday April 11 2020, @07:42PM
It was never intended to stop a determined adversary.
(Score: 2) by Bot on Saturday April 11 2020, @08:02PM (2 children)
A determined actor cuts your finger off.
Account abandoned.
(Score: 2) by Thexalon on Saturday April 11 2020, @11:18PM
Or knocks you out with the Vulcan neck pinch, and then uses your hand while you're unconscious.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by mhajicek on Sunday April 12 2020, @04:02AM
The determined state level actor holds you in prison until you unlock your device.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 3, Informative) by Anonymous Coward on Saturday April 11 2020, @08:44PM
Nope. Nobody with a brain thinks fingerprints sub for passwords.
(Score: 3, Interesting) by krishnoid on Saturday April 11 2020, @10:10PM
I mean, is there really a way to verify false positives and false negatives? At least with a password, if you press each key individually, you can confirm that you pressed all/only the keys you intended.
With a fingerprint reader, it's not like you even get a green-on-black Hollywood picture of the scanned fingerprint and identiified points, with "AUTHORIZED" in all-caps and spoken in a pleasant-sounding woman's voice. And even in those cases, it's not like it *actually* reads anyone's fingerprint. So can you *ever* genuinely tell if they're doing something?
(Score: 2) by Spamalope on Sunday April 12 2020, @04:48PM (1 child)
What is the success rate for a similarly determined attacker for bypassing PINs or the entire authentication process? Haven't black hats been selling equipment touted for getting root if you plug them in?
(Score: 0) by Anonymous Coward on Sunday April 12 2020, @10:59PM
Well, for 4-digit pins, it's 1 in 10000...
You Muppet