Before the popularity of fingerprint sensors on mobile and tablet devices, these sensors were reserved for the most premium workplaces and electronic goods as well. Apple came around and changed all that with its revolutionary Touch ID of course. However, the first iteration of Touch ID was not secure at all, with hackers being able to get through it within 48 hours of its release with a fake fingerprint. Releases and sensors since then have changed to become more secure, which was very much a need of the hour if the phone manufacturers were to use them as a selling point on their devices.
A recent study published by Cisco’s security group Talos, however, has a warning for the fingerprint users. They say that those people who could be targeted by state-sponsored hackers, as we have seen increasing in number recently, or those who could be the target of other skilled, well-financed and determined attack groups should maybe not use fingerprint sensors for security at all. This statement comes after the group tested the fingerprint authentication offered by various manufacturers such as Apple, Samsung, Huawei, Microsoft, and three other lock makers. Consequently, the found that fake fingerprints were able to get through the authentication “at least once roughly 80 percent of the time.”
The group had started by creating molds of the fingerprints, about 50 of which were created, before going to test the devices. Each of the device chosen was given 20 attempts with the best fingerprint mold created. Of these 20 attempts, 17 were successful, the report published. The devices most susceptible were AICase padlock, Huawei Honor 7x and Samsung Note 9, with the researchers having a 100 percent success rate. 90 percent success rate was reported for iPhone 8, MacBook Pro 2018 and Samsung S10 devices.
Laptops running Windows 10 and two USB drives chosen for this test, the Verbatim Fingerprint Secure and the Lexar Jumpdrive F35, performed the best. A reason for this, the researchers believed, was that the comparison algorithm for Windows 10 resided in the Operating System itself, meaning that the results are shared amongst other platforms.
Talos researchers Paul Rascagneres and Vitor Ventura opined that “The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”
While this is a thought-provoking research, the study itself has explicitly stated that this testing required several months of work that has gone into creating the fingerprint molds, before successfully creating the one that worked against the device. So, the big picture hints at the fact that this undertaking is extremely time-taking and expensive, not to mention the questionable success rate in a real-time attack scenario.