Recent research has spotlighted vulnerabilities in the fingerprint authentication systems of smartphones from leading manufacturers. Leveraging Artificial Intelligence (AI), these vulnerabilities were identified and exploited, raising concerns about the security of biometric verification systems.
Fingerprint authentication, a cornerstone of modern device security, is not as infallible as once believed. Recent investigations have illuminated substantial susceptibilities within the software frameworks of devices manufactured by premier companies, including Samsung, Xiaomi, HUAWEI, Vivo, OnePlus, and OPPO. These vulnerabilities were not only identified but also manipulated, utilizing sophisticated Artificial Intelligence (AI) methodologies, thereby accentuating the imperative for the fortification of security protocols.
The fingerprint authentication mechanism in smartphones involves a multi-stage process:
- Acquisition: This initial stage involves capturing multiple images of the fingerprint as the user’s finger makes contact with the sensor.
- Compensation: At this stage, the system works to enhance the clarity of the acquired images by filtering out noise and other distortions.
- Algorithmic Verification: Sophisticated algorithms analyze the fingerprint’s unique attributes, such as texture, pressure patterns, and overall shape, with the primary objective of distinguishing an authentic human fingerprint from potential counterfeits, including those made from materials like silicone.
- Similarity Check: Contrary to traditional password systems that demand exact matches, fingerprint systems operate on a similarity model. The captured fingerprint needs to exceed a set similarity threshold when compared to the stored data to grant access.
Chinese engineers, Chen Yu (Tencent) and He Yiling (Zhejiang University), devised an algorithm, BrutePrint, capable of deceiving fingerprint scanners through a method of exhaustive search. They identified two vulnerabilities: Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), which allow for an unlimited number of authentication attempts and, occasionally, enable unauthorized access to a user’s stored fingerprint data on the smartphone.
Through ten experiments with various smartphone models, the researchers found that the CAMF vulnerability was present in all models, albeit with different manifestations. The researchers managed to achieve unlimited unlock attempts on all smartphones operating on Android, while iOS devices were limited to 15 attempts. Additionally, on iPhones, the researchers were unable to intercept the signal between the processor and fingerprint scanner due to the consistent encryption of this signal, a security feature absent in Android devices.
The identified vulnerabilities underscore the critical need for enhanced security protocols in fingerprint authentication systems, particularly within Android devices. The findings suggest a requisite for further research and development to bolster the security of biometric authentication methods and safeguard user data against unauthorized access and potential malicious exploitation.