Smartphone Fingerprint Sensors Not as Secure as Thought


San Francisco — Fingerprint sensors have turned modern smartphones into miracles of convenience. A touch of a finger unlocks the phone — no password required. With services like Apple Pay or Android Pay, a fingerprint can buy a bag of groceries, a new laptop or even a $1 million vintage Aston Martin. And pressing a finger inside a banking app allows a user to pay bills or transfer thousands of dollars.

While such wizardry is convenient, it has also left a gaping security hole.

New findings published Monday by researchers at New York University and Michigan State University suggest that smartphones can easily be fooled by fake fingerprints digitally composed of many common features found in human prints. In computer simulations, the researchers from the universities were able to develop a set of artificial “MasterPrints” that could match real prints similar to those used by phones as much as 65 percent of the time.

The researchers did not test their approach with real phones, and other security experts said the match rate would be significantly lower in real-life conditions. Still, the findings raise troubling questions about the effectiveness of fingerprint security on smartphones.

“It’s almost certainly not as worrisome as presented, but it’s almost certainly pretty darn bad,” said Andy Adler, a professor of systems and computer engineering at Carleton University in Canada, who studies biometric security systems. “If all I want to do is take your phone and use your Apple Pay to buy stuff, if I can get into 1 in 10 phones, that’s not bad odds.”

Full human fingerprints are difficult to falsify, but the finger scanners on phones are so small that they read only partial fingerprints. When a user sets up fingerprint security on an Apple iPhone or a phone that runs Google’s Android software, the phone typically takes eight to 10 images of a finger to make it easier to make a match. And many users record more than one finger — say, the thumb and forefinger of each hand.

Since a finger swipe has to match only one stored image to unlock the phone, the system is vulnerable to false matches.

“It’s as if you have 30 passwords and the attacker only has to match one,” said Nasir Memon, a professor of computer science and engineering at NYU’s Tandon School of Engineering, who is one of three authors of the study, which was published in IEEE Transactions on Information Forensics and Security. The other authors are Aditi Roy, a postdoctoral fellow at NYU’s Tandon School, and Arun Ross, a professor of computer science and engineering at Michigan State.

Dr. Memon said their findings indicated that if you could somehow create a magic glove with a MasterPrint on each finger, you could get into 40 to 50 percent of iPhones within the five tries allowed before the phone demands the numeric password, known as a personal identification number.

Apple said the chance of a false match in the iPhone’s fingerprint system was 1 in 50,000 with one fingerprint enrolled. Ryan James, a company spokesman, said Apple had tested various attacks when developing its Touch ID system, and also incorporated other security features to prevent false matches.

Google declined to comment.

The actual risk is difficult to quantify. Apple and Google keep many details of their fingerprint technology secret, and the dozens of companies that make Android phones can adapt Google’s standard design in ways that reduce the level of security.

Stephanie Schuckers, a professor at Clarkson University and director of the Center for Identification Technology Research, was cautious about the implications of the MasterPrint findings. She said the researchers used a midrange, commercially available software program that was designed to match full fingerprints, limiting the broader applicability of their findings.

“To really know what the impact would be on a cellphone, you’d have to try it on the cellphone,” she said. She noted that cellphone makers and others who use fingerprint security systems are studying anti-spoofing techniques to detect the presence of a real finger, such as looking for perspiration or examining patterns in deeper layers of skin. A new fingerprint sensor from Qualcomm, for example, uses ultrasound.

Phone makers have acknowledged that fingerprint sensors are not foolproof, but said that the ease of touching a finger to unlock a phone meant that more users actually turned on security features instead of leaving their phones unlocked — a common habit in the early days of smartphones.

Dr. Ross acknowledged the limitations of the work. “Most of the current smartphone vendors do not give us access to the fingerprint image,” he said.

For a thief or spy to turn master fingerprints into smartphone keys would require a lot of additional work. “In order to launch this attack, you still have to make fake fingers,” Dr. Ross said.

Still, the team’s fundamental finding that partial fingerprints are vulnerable to spoofing is significant, said Chris Boehnen, the manager of the federal government’s Odin program, which studies how to defeat biometric security attacks as part of the Intelligence Advanced Research Projects Activity.

“What’s concerning here is that you could find a random phone, and your barrier to attack is pretty low,” Dr. Boehnen said.

Phone makers could easily increase security by making it harder to match the partial fingerprint, he said, “but the average phone company is more worried about you being annoyed that you have to put your finger against the phone two or three times than they are with someone breaking into it.”

The New York Times

Apple Tiptoes Into Producing Original Video but Plans to Pick Up Pace

“Apple Music will have video and other things that I can’t talk about,” said Jimmy Iovine, who heads the $10-a-month service. “We’re going to be aggressive about it.”

DANA POINT, Calif. — Watch out, Netflix. Apple, the richest company in technology, is finally moving into original video content.

Apple said Monday night that it would introduce its first two television-style video series on Apple Music, its subscription music-streaming service, in the spring.

Other original videos, including scripted dramas, are planned over the next year as Apple tries to build Apple Music into a cultural platform, said Jimmy Iovine, who heads the $10-a-month service.

“There are a bunch of projects. We’re in it. This is what Apple Music is going to be,” Mr. Iovine said in an interview Monday night. “Apple Music will have video and other things that I can’t talk about. We’re going to be aggressive about it.”

Apple is still primarily a smartphone company. And despite sitting on $246 billion in cash and marketable securities, it insists it has no short-term plans to directly challenge streaming-video giants like Netflix and Amazon, which are increasingly commissioning high-quality original shows to attract and retain subscribers.

“We’re not out to buy a bunch of shows,” Eddy Cue, Apple’s senior vice president for software and services, said during an onstage interview at the Code Media technology conference Monday night.

But Apple does intend to use original video to help distinguish Apple Music, which began in June 2015 and has attracted more than 20 million subscribers, from competitors like Spotify. “We’re trying to do things that are unique and cultural,” Mr. Cue said.

Much like MTV did in its heyday, that means going beyond music.

Apple aired a trailer for the first show, “Carpool Karaoke,” at the Grammy Awards on Sunday. The series, a spinoff of James Corden’s running sketch on “The Late Late Show,” will be available to Apple Music subscribers in April.

The second program, “Planet of the Apps,” is a reality TV series about iPhone app developers competing to build the next great app. In the show, developers will make 60-second pitches, receive mentoring from the musician, the actors Jessica Alba or Gwyneth Paltrow, or the social media entrepreneur Gary Vaynerchuk to develop their ideas, and then try to persuade a venture capital fund, Lightspeed Venture Partners, to invest in them. The winners will get prime billing in Apple’s App Store.

“What does it take to be an app developer? Who are they?” Mr. Cue said, showing a trailer of the show with Ben Silverman, the veteran TV producer who brought the project to Apple. “Customers are going to love it.”

Mr. Iovine said that Apple Music was also working on other video projects that are “so opposite” to the first two.

“We’re doing dramas,” he said. “They just take much longer.”

Also under consideration, he said, is a way for musicians to interact with their audiences. “We’re still experimenting,” he said.

Mr. Iovine was a successful record producer before joining Apple in 2014 when he and the musician Dr. Dre sold the headphone-maker Beats Electronics to Apple for $3 billion. At Beats, Mr. Iovine said, “I didn’t see a stand-alone model that was going to work.”

Apple, by contrast, had vast resources to invest in building a music service.

Discussing Apple’s broader video ambitions, Mr. Cue said that the company was currently focused on two problems: how to make it easier to discover already-available content, and how to make it easier for video creators to innovate.

He dismissed suggestions, however, that Apple wanted to compete with cable and satellite companies by bundling a group of video channels and selling subscriptions to its users.

“We are happy doing the things we are doing today,” he said. “Where it goes, we don’t know.”

(The New York Times)