printer friendly version

Much ado about nothing

Attribution: Some rights reserved by Leszek Leszczynski via Flickr Creative Commons (https://www.flickr.com/photos/leszekleszczynski/).

Reports in online media over the last few weeks that Germany’s Security Research Labs (SRLabs) has been able to crack the much-hyped biometric fingerprint scanner on the Samsung S5 mobile phone have created quite a stir within cyberspace. Mobile phone aficionados, security experts, members of academia, journalists and bored keyboard ninjas have been atwitter about this development, especially after the marketing efforts emphasising the security benefits of the S5.

This dèbâcle followed hot on the heels of a similar security vulnerability in the Apple iPhone 5s biometric fingerprint scanner identified by the Chaos Computer Club in September 2013, leading to vociferous condemnations of fingerprint biometrics as a security feature in the mobile device market.

The concept is a simple one: the fingerprint biometric scanner is bypassed by manufacturing a fake fingerprint. This is achieved by obtaining an image of the real fingerprint and using a garden-variety wood glue as filler. A life-like copy of the real fingerprint is created that is in turn recognised by the on-board fingerprint scanner. I personally would have used bathroom silicone and hot candle wax as it is easier to manipulate. A YouTube video is available that explains the steps to achieve the desired effect. This serves as proof that fingerprint biometrics are not a secure technology for mobile device applications, or any other application for that matter, if one reads between the lines.

No doubt that if you have a friend that owns at least one pocket protector, and you are unlucky enough to own either a Samsung S5 or iPhone 5s, you will shortly have to endure either a mini lecture or a demonstration of how easy it is to bypass your phone’s biometric security feature.

This of course is much ado about nothing and is purely a backlash to the hype that Samsung placed on the S5’s ability to utilise fingerprints as an added security feature for its mobile device.

Fingerprint insecurity

Practitioners of biometrics are not surprised by the news. Fake or spoof fingerprints have been a nuisance for as long as fingerprint biometric devices have been commercially available. The TV Series Mythbusters, for instance, filmed a whole segment on bypassing a fingerprint biometric device using a spoof fingerprint. This segment is also available on YouTube. In fact, if one knows what to look for, there are approximately 4000 YouTube videos available on the subjects of manufacturing spoof fingerprints and bypassing biometric fingerprint devices. The availability of this quantity of videos, coupled with the doubts expressed by all and sundry, should then indicate that fingerprint biometrics are unsecure and even downright dangerous. Right? Wrong!

Biometric researchers and manufacturers have been aware of the spoof fingerprint phenomenon since day one and have taken the appropriate steps to ensure that their devices are as immune as possible to spoof fingerprints. As with everything in life, there is a cost involved in any technology and fake fingerprint technology is no different. You get what you pay for and if you want to buy cheap, chances are you are not going to get what you expect out of the device. Susceptibility to fake fingerprints being right at the top of that list.

Some of the better known and widely used biometric devices available today still lack a basic implementation of fake fingerprint detection technology to safeguard the end-user against spoof fingerprints. This is simply due to cost considerations and the connected profitability impact of deploying these technologies. This is bad form and places the whole industry at risk as the Samsung/Apple dèbâcle has shown.

Don’t get me wrong, Samsung and Apple are not cheap products by any stretch of the imagination. The pure quantities of these products sold on an annual basis tells one that they are quality products packed with useful features. Unfortunately too much was made of an added security feature that many decided is the Achilles heel of these devices. This weakness was then used to knock them off their perches. Unfortunately, the knock-on effect is the perception that all fingerprint biometrics are not secure, which is erroneous.

Fashionable fail

One can only speculate about the reasons why fake fingerprint technology was not included in the on-board fingerprint biometric scanners of both the Samsung and Apple devices. This could include ignorance of the problems associated with fitting the technology into the form factor of the device. Smartphones are touted to be the highest functioning devices in the smallest possible form factor available. Having to change the form factor to that of a brick defeats the object of a smartphone, especially if it is then for just one added security feature that forms part of the product offering and is not defining to the product offering itself.

The fact that thermal swipe scanners are being used, which is a very outdated and insecure scanning technology with a history of susceptibility to spoof fingerprints, leads me to believe that both ignorance and space in the form factor were major issues. Hopefully the next version will contain MIT optical sensors.

Don’t be surprised to see a whole industry sprout up around biometrics for mobile devices. The foremost manufacturers are already showcasing add-on and integrated devices for the mobile market that features live fingerprint detection (LFD), multispectral imaging technology (MIT) and BioLab rated algorithms for extracting and matching minutiae points on a fingerprint. One US-based company has already launched a software platform to patch the LFD issues with the S5 and 5s even before the dust has settled.

This is the first foray for smartphone and mobile device manufacturers into biometric fingerprint scanners. I cannot imagine that these manufacturers will not provide future dated devices with updated and more advanced biometric fingerprint scanners that are more secure, as was the case in the PC/laptop market. The advantages of biometrics fingerprint scanners outweigh the disadvantages too heavily.

Samsung and Apple decided to pioneer what will undoubtedly become a mainstream feature on all mobile devices and have unjustly been thrown onto the sword because of it. It remains to be seen if either company takes steps to rectify the shortcomings in their existing devices. After all, the remedy is available, but at a price.

Share this article:

Further reading: