Artificial fingerprints have been developed by researchers who say they could one day be used to hack into everyday devices.
Researchers from New York University and Michigan State University successfully generated what they call “DeepMasterPrints” earlier this year. These are machine-learning methods that act as a kind of “masterkey” which, the researchers claim, have the potential to unlock around one in three fingerprint-protected smartphones.
In the paper released in October, the authors said synthetic fingerprints could be “used by an adversary to launch an attack … that can compromise the security of a fingerprint-based recognition system.”
Philip Bontrager, Aditi Roy, Julian Togelius, Nasir Memon and Arun Ross, the researchers behind the study, said the way fingerprints were recognized on smartphones and other devices was often problematic.
“Phones and many more devices don’t capture your entire fingerprint,” they told CNBC over the phone. “There’s not enough space on the device, so they capture a partial fingerprint — which is not as secure as the full image. (People assume) the device stitches images of their fingerprint together, but that’s not really what happens — it keeps sets of partial fingerprints.”
For each finger stored in place of a password, the device keeps multiple images. If someone then uses their finger to unlock that device, they only need to match one of the partial fingerprint images on its security system.
“If you store images for three of your fingers the device may keep around 30 partial fingerprints,” the researchers said. “With MasterPrints you just have to create a few — five or ten and I’m in business.”
They added that this could unlock a “reasonably large” number of phones — just under a third.
“If every fifth phone works it would be a profitable scam,” they said.
While the researchers told CNBC that their findings could be a potential threat to security systems, there were things software developers could do to make such an attack harder to pull off.
“Research in assessing vulnerabilities in a fingerprint recognition system is a constant arms race between fixing vulnerabilities and discovering new ones,” the paper said. “It is important for researchers to probe for new vulnerabilities so that loopholes can be fixed.”
Many developers were already making fingerprint scanners more secure by moving sensors from devices’ buttons to screens, allowing them to pick up higher resolution images.
“Some smartphones have the sensors on the side buttons, which are very thin — they’re convenient but less secure,” the researchers told CNBC. “Their sensors only register a quarter or so of the fingerprint’s features.”
What’s at stake?
Most smartphones give users the option to set up fingerprint recognition as a way to access their device, as well as a way to verify payments and unlock bank accounts. Amazon’s U.K. site offers more than 2,000 products relating to fingerprint security, including padlocks and safes.
In July, it emerged that Mastercard was in talks with British banks about introducing cards with integrated fingerprint scanners, opening the market up to biometric payment systems.
Big firms are also using biometrics to provide smoother experiences for customers. Delta already allows its passengers to use their fingerprints to board flights and access airport lounges, and car rental firm Hertz recently unveiled a biometric system at Atlanta International Airport to make renting a car up to 75 percent faster.
Clear, the firm behind Delta and Hertz’s fingerprint recognition technology, told CNBC via email that as long as companies provided the appropriate security, there was “no question” that biometrics were more secure than a traditional ID.
Clear “does not rent, sell or share member data. The platform is also Safety Act Certified by the Department of Homeland Security as a Qualified Anti-Terrorism Technology,” a spokesperson told CNBC via email this week.
“We go to great lengths to secure member data, protect privacy, and enable exceptional experiences. We operate a closed network that is not exposed to the internet, and our members’ biometrics are encrypted at all times, in transit and at rest.”
Spokespersons for smartphone makers Apple and Google were not immediately available for comment when contacted by CNBC. Mastercard and Samsung declined to comment on the research.