Researchers from the U.S. and China recently published a paper proposing a mindboggling new method of fingerprint theft…
来自美国和中国的研究人员最近发表了一篇论文,提出了一种令人难以置信的指纹盗窃新方法……
Imagine you get a call from a cybercriminal; or you connect via your smartphone to a conference call that an attacker has access to. During either call, you’d something on your phone, which, naturally enough, involves sliding a finger across its screen. The sound of such a movement is clearly audible through the phone’s built-in mic, allowing the threat actor to record and analyze the sound. From this, they can recreate enough fragments of the fingerprint to unlock your phone using an “artificial finger”! Just think about it: the gentle friction of your finger sliding over the screen can reveal the pattern on the fingertip — a side-channel attack of exquisite beauty!
想象一下,您接到网络犯罪分子的电话;或者,您通过智能手机连接到攻击者有权访问的电话会议。在任何一个通话过程中,你的手机上都有一些东西,这很自然地涉及在屏幕上滑动手指。通过手机的内置麦克风可以清楚地听到这种运动的声音,从而允许威胁行为者记录和分析声音。由此,他们可以重新创建足够的指纹片段,以使用“人造手指”解锁您的手机!试想一下:手指在屏幕上滑动的轻轻摩擦可以揭示指尖上的图案——精致美感的侧通道攻击!
How to steal a fingerprint through audio
如何通过音频窃取指纹
The general schematic of the new PrintListener attack is given in the image:
新 PrintListener 攻击的一般原理图如下图所示:
When the user moves a finger across the surface of the screen, it produces a noise almost inaudible to the human ear. These “rustling” sounds differ depending on which particular loops, arches, and swirls and whirls on the fingertip come into contact with the screen. If the noise is captured by the device’s mic and later analyzed, based on the data obtained, the approximate pattern of these ridges can be determined.
当用户在屏幕表面上移动手指时,会产生人耳几乎听不到的噪音。这些“沙沙”的声音会有所不同,具体取决于指尖上的特定循环、拱门以及漩涡和漩涡与屏幕接触。如果噪声被设备的麦克风捕获并随后根据获得的数据进行分析,则可以确定这些脊的近似模式。
The authors of the paper took great pains to make the study as true to life as possible. First, to avoid having to find such hard-to-detect events manually, they created an automated system to search for sounds similar to a finger being swiped across the screen. Second, they created a large database of photos of fingerprints and the corresponding sounds of finger swipes in different directions, with different background noise, for different smartphone models, and other parameters.
这篇论文的作者煞费苦心地使这项研究尽可能真实。首先,为了避免手动查找此类难以检测的事件,他们创建了一个自动化系统来搜索类似于手指在屏幕上滑动的声音。其次,他们创建了一个大型数据库,其中包含指纹照片和相应的手指在不同方向、不同背景噪音、不同智能手机型号和其他参数上滑动的声音。
A total of 65 volunteers took part in the experiment, in which 180 fingers were scanned. The data was processed by a machine-learning algorithm. The trained algorithm was able to predict with confidence certain fingerprint characteristics solely by the sound of finger movement across the surface of the smartphone.
共有 65 名志愿者参加了实验,其中扫描了 180 根手指。数据由机器学习算法处理。经过训练的算法能够仅通过手指在智能手机表面移动的声音来自信地预测某些指纹特征。
How effective is PrintListener?
PrintListener 的效果如何?
PrintListener is by no means the first attack on fingerprint scanners. In 2017, a paper was published laying out a scheme in which, instead of the user’s real fingerprint, a synthetic one with random fingerprint patterns was applied to the scanner. And in some cases, it worked! Why? In many modern smartphones, the fingerprint scanner is built into the power button and is pretty narrow. By definition, such a scanner can only see a fragment of the fingerprint. What’s more, the scanner is focused squarely on the pronounced features of the fingerprint pattern. If some loop or swirl on the synthetic finger matches any on the real one, the scanner can authorize the user! The attack was dubbed MasterPrint.
PrintListener 绝不是对指纹扫描仪的第一次攻击。2017 年,发表了一篇论文,提出了一种方案,其中将具有随机指纹图案的合成指纹应用于扫描仪,而不是用户的真实指纹。在某些情况下,它奏效了!为什么?在许多现代智能手机中,指纹扫描仪内置于电源按钮中,并且非常窄。根据定义,这种扫描仪只能看到指纹的片段。更重要的是,扫描仪完全专注于指纹图案的明显特征。如果合成手指上的某些环或漩涡与真实手指上的任何环或漩涡相匹配,扫描仪可以授权用户!这次攻击被称为MasterPrint。
Another important parameter of scanner performance is the rate of false positives. The ideal scanner should only validate a fingerprint if the pattern is a 100% match. But such perfection is unworkable in the real world. Two swipes are never the same — the user’s finger may be at a different angle, a little higher, or a little lower. The finger may be dry or wet, dirty or cut. To take this into account, the scanner is configured to validate not only 100% matches but “good enough” ones as well. This inevitably leads to false positives: when the scanner mistakes a wrong print for the true one. The typical percentage of unwanted positives varies from 0.01% (in the strictest case) to 1%. The latter makes life easier for the user but increases the likelihood that someone else’s finger could unlock the device.
扫描程序性能的另一个重要参数是误报率。理想的扫描仪应该只在图案 100% 匹配时验证指纹。但这种完美在现实世界中是行不通的。两次滑动永远不会相同——用户的手指可能处于不同的角度,可能更高一点,也可能更低一点。手指可能干燥或潮湿、脏污或割伤。考虑到这一点,扫描仪不仅要验证 100% 的匹配,还要验证“足够好”的匹配。这不可避免地会导致误报:当扫描仪将错误的打印件误认为是真实的打印件时。不需要的阳性的典型百分比从 0.01%(在最严格的情况下)到 1% 不等。后者使用户的生活更轻松,但增加了其他人的手指解锁设备的可能性。
The MasterPrint attack showed that a synthetic fingerprint with some similarly shaped loops or swirls was partially recognized in 2.4–3.7% of cases — and on the first try at that. If multiple attempts are allowed, the likelihood of a false positive rises considerably. In the study, given 12 consecutive swipes, a fake fingerprint got validated 26–30% of the time! In those experiments, the false positive rate was 0.1%.
MasterPrint攻击表明,在2.4-3.7%的情况下,具有一些类似形状的环或漩涡的合成指纹被部分识别 – 并且在第一次尝试时。如果允许多次尝试,则误报的可能性会大大增加。在这项研究中,连续滑动 12 次,假指纹在 26-30% 的时间内得到了验证!在这些实验中,假阳性率为0.1%。
The PrintListener attack takes the ideas of the 2017 MasterPrint paper and develops them further. Processing the audio information permits detection of the presence of pronounced ridges with a high degree of certainty. This then makes it possible to attack the scanner not at random, but using a fingerprint feature reconstructed from the audio. An attacker can then 3D-print a finger with a synthetic fingerprint that contains this feature.
PrintListener 攻击采用了 2017 年 MasterPrint 论文的想法并进一步发展它们。通过处理音频信息,可以高度确定地检测出明显脊的存在。这样就可以不随机地攻击扫描仪,而是使用从音频中重建的指纹特征。然后,攻击者可以使用包含此功能的合成指纹 3D 打印手指。
With an acceptable false positive rate of 0.1%, the PrintListener attack successfully duped the fingerprint scanner 48–53% of the time. A more stringent scenario, with an acceptable false positive rate of 0.01%, still saw the biometric scanner get hacked in 7.8–9.8% of cases. That’s a significant improvement on MasterPrint. Moreover, in each case, no more than five attempts were made to scan the synthetic finger, which corresponds to real-life restrictions on biometric authorization in these same smartphones.
PrintListener 攻击的误报率为 0.1%,在 48-53% 的时间内成功欺骗了指纹扫描仪。更严格的情况是,可接受的误报率为0.01%,但生物识别扫描仪在7.8-9.8%的情况下仍然被黑客入侵。这是对 MasterPrint 的重大改进。此外,在每种情况下,扫描合成手指的尝试不超过五次,这与这些智能手机中对生物识别授权的现实限制相对应。
Biometrics pros and cons
生物识别技术的优缺点
We covered the traditional risks associated with fingerprint scanners in a previous post. In short, they’re not an ideal means of authorization in any way. It’s actually quite easy to steal your fingerprint using traditional methods. People always leave fingerprints on the objects and surfaces they touch. In some cases, it’s even possible to extract a usable print from a photograph. And not just from a close-up of your fingers — an ordinary high-res shot taken from a reasonable distance of three meters would do.
我们在上一篇文章中介绍了与指纹扫描仪相关的传统风险。简而言之,它们无论如何都不是理想的授权方式。使用传统方法窃取指纹实际上很容易。人们总是在他们接触的物体和表面上留下指纹。在某些情况下,甚至可以从照片中提取可用的打印件。而不仅仅是从手指的特写镜头——从三米的合理距离拍摄的普通高分辨率照片就可以了。
The simplest scanners can be fooled by a printout of stolen biometric information. This trick won’t work with the ultrasonic sensors found under modern smartphone displays, but, again, it’s possible to 3D-print an artificial finger with the required pattern. A problem common to all biometric authentication systems is that such information is hard to keep secret. And, unlike a password, you can’t change your fingerprint if it’s compromised.
最简单的扫描仪可能会被被盗生物识别信息的打印输出所愚弄。这个技巧不适用于现代智能手机显示屏下的超声波传感器,但同样,可以3D打印具有所需图案的人造手指。所有生物识别认证系统的一个共同问题是,这些信息很难保密。而且,与密码不同,如果指纹被泄露,您将无法更改指纹。
That’s not to say that the new paper gives new reasons to worry about our data security. The imperfect nature of biometrics is already factored into the logic of the sensors in the devices we use. It’s precisely because a fingerprint is fairly easy to misrecognize that smartphones regularly ask us to enter a PIN or confirm an online purchase with a password. In combination with other security methods, fingerprint scanners aren’t all that bad. Such protection against unauthorized access is better than none at all, of course. Remember, too, that a simple digital unlock code for a smartphone can also be snooped or brute-forced based on traces left on the display.
这并不是说这篇新论文提供了新的理由来担心我们的数据安全。生物识别技术的不完美性已经包含在我们使用的设备中传感器的逻辑中。正是因为指纹很容易被误认,智能手机才会经常要求我们输入PIN码或使用密码确认在线购买。结合其他安全方法,指纹扫描仪并没有那么糟糕。当然,这种防止未经授权访问的保护总比没有好。还要记住,智能手机的简单数字解锁代码也可以根据显示屏上留下的痕迹进行窥探或暴力破解。
Nevertheless, the PrintListener attack is indeed remarkable, allowing as it does to pull valuable fingerprint data from the unlikeliest of sources. The attack scenario also looks quite realistic —similar in concept to previous studies in which user keystrokes were recognized by sound. One might conclude from all this that it’s best to refrain from touching your screen during a call or online meeting. But the moral of the story is actually simpler: don’t protect highly sensitive information — especially confidential business-related data — with biometrics alone.
尽管如此,PrintListener 攻击确实非常出色,它允许从最不可能的来源中提取有价值的指纹数据。攻击场景看起来也非常逼真,在概念上与以前的研究相似,其中用户击键是通过声音识别的。人们可能会从这一切中得出结论,最好不要在通话或在线会议期间触摸屏幕。但这个故事的寓意实际上更简单:不要仅用生物识别技术来保护高度敏感的信息,尤其是与业务相关的机密数据。
原文始发于Enoch Root:PrintListener: remote fingerprint theft