Fingerprint readers, like the TouchID on an iPhone, exist to make your device extra secure while keeping the process of unlocking it easy. Computer scientists at New York University and Michigan State are poised to turn that security benefit on its head. Like a master key that can open any lock, these researchers developed digital âmaster printsâ that could emulate a variety of partial fingerprints enough to hypothetically hack into a device.
The researchers wondered if there was a fingerprint equivalent to a common four-digit security code, like â1234.â Using analysis from a digital database, they discovered that, indeed, a master print could successfully mimic a random fingerprint 26 to 65 percent of the time, according to the study. Why such a huge range? It depends on the scale of the fingerprint database; the more partial fingerprints enrolled in a fingerprint sensor system, the greater the chances are that a master print could unlock it.
There are several security issues at play. One, fingerprint sensors on smartphones are usually small, and two, a user can enroll multiple fingers. Whatâs more, a phone usually gives you several attempts to unlock it with your print.
âThe sensors are small and they donât capture the full fingerprint,â says Nasir Memon, a computer scientist at NYUâs Tandon School of Engineering and one of the authors of the study.
And since a smartphone fingerprint sensor can be taught to recognize several different fingers, the system learns a lot of partial prints. When you place a finger on the sensor, the system doesnât actually know which finger it is, or how youâre positioning it.
âSo if any one of them match,â he says, âit will say âokay, thatâs you.ââ
Memon and his colleagues analyzed a digital database of 800 fingerprints, then extracted thousands of partial prints from that same database.They wondered: Are there any partial prints that match the others with a high probability? âWe were surprised,â he says, âthere were some that match like 15 percent of the time.â
Itâs worthwhile to note that the experiment was computer-based, so the researchers did not try to actually trick phones using a master print. The findings are theoretical, and one prominent biometrics researcher is skeptical.