The good and bad of bio­met­rics


TechLife Australia - - WELCOME - [ NATHAN TAY­LOR ]

WE TRUST SO much in­for­ma­tion to our mo­biles that the com­pro­mise of one can be truly dev­as­tat­ing. And for most of us, all that’s pro­tect­ing that in­for­ma­tion is a sin­gle lock screen.

In Ap­ple de­vices and more re­cent An­droids, that does ac­tu­ally pro­vide some pro­tec­tion. The un­lock pass­codes can’t be brute-forced be­cause the phone will lock up af­ter a num­ber of failed at­tempts (see ‘Un­lock­ing the phone’ op­po­site), while the stor­age of the de­vice is en­crypted so that the OS can’t be by­passed. But many re­cent de­vices also have an ad­di­tional un­lock method: bio­met­rics, such as fin­ger­print scan­ners and face recog­ni­tion.

Just how se­cure is that bio­met­ric lock? This month, we’re go­ing to take a look.


Many cur­rent mo­bile phones al­low you to un­lock the phone with your fin­ger­print. A small scan­ner on the phone takes a im­age of your fin­ger­print and com­pares it to the scan of your fin­ger­print it has on record.

Fin­ger­print read­ers are, in fact, rel­a­tively se­cure. Ap­ple, for ex­am­ple, says that there is only a one in 50,000 chance of a false-pos­i­tive, and you only get five at­tempts to use it be­fore the phone will ask for your pass­code in­stead.

But they’re not fool­proof. It is pos­si­ble to make moulds and 3D print fake fin­ger­prints that will fool the scan­ner, so if some­one with the know-how got hold of your fin­ger­print they could make un­lock­ing tool.

Re­searchers at New York Univer­sity and Michi­gan State Univer­sity have also re­cently de­vel­oped a kind of mas­ter fin­ger­print that they claim will work as much as 65% of the time. Since a mo­bile phone fin­ger­print scan­ner only takes a par­tial print, they cre­ated a fin­ger­print that matches the char­ac­ter­is­tics of a large pro­por­tion of the pop­u­la­tion. This mas­ter print has, as far as we know, not made it into the wild, how­ever.


In last year’s iPhone X, Ap­ple aban­doned fin­ger­print recog­ni­tion al­to­gether, re­plac­ing it with what it calls ‘Face ID’. Fa­cial recog­ni­tion has been present in An­droid since ver­sion 4.0, which came out way back in 2012. The se­cu­rity of fa­cial iden­ti­fi­ca­tion sys­tems is trick­ier than you might think, how­ever. Re­cent ver­sions of fa­cial iden­ti­fi­ca­tion tech are rel­a­tively se­cure. Older ver­sions, though, are barely bet­ter than no se­cu­rity at all.

If we look back to older ver­sions of An­droid, for ex­am­ple, all the sys­tem does is use the front cam­era to take a photo of your face. It then runs the photo through fa­cial recog­ni­tion soft­ware and com­pares it to a stored photo to see if they match.

The prob­lem with this sys­tem is that it can be fooled by hold­ing up a photo of the owner in front of the cam­era. The soft­ware isn’t smart enough to dis­tin­guish be­tween a real per­son and a photo of that per­son. That’s not the kind of se­cu­rity you can bank on.

How­ever, the iPhone X and re­cent Sam­sung Galaxy smart­phones (among others) have de­vel­oped bet­ter ways of do­ing fa­cial recog­ni­tion, and Kasper­sky has even rated Ap­ple’s sys­tem bet­ter than fin­ger­print scan­ners.

On the iPhone X, the phone in­cludes an in­frared cam­era, dot pro­jec­tor and flood il­lu­mi­na­tor in ad­di­tion to the tra­di­tional cam­era. This lets the phone cre­ate a 3D map of your face — when you set it up, you find that you have to ro­tate your head so that it can map it all around. That 3D map is much harder to spoof than a flat photo — if some­one can make a mask that so ac­cu­rately mir­rors your face in 3D, they al­most de­serve ac­cess to your phone!

On re­cent Galaxy smart­phones, Sam­sung has added an iris scan­ner. This scan­ner is present on the Galaxy S8, Note 8 and sub­se­quent phones. It was also in the older Galaxy Note 7, though it used a less se­cure tech­nol­ogy.

Your irises have pat­terns of colours that are even more unique than your fin­ger­prints. On the Sam­sung phones, a special near­in­frared diode il­lu­mi­nates the iris, high­light­ing colours that would not nor­mally be seen un­der reg­u­lar light. The cam­era

then takes a photo and com­pares it to a lo­cally stored im­age of the iris.

The ben­e­fit of this method is that one can­not use a reg­u­lar photo to fool the scan­ner, since a reg­u­lar photo would not pick up the colours il­lu­mi­nated by the diode. It has been shown pos­si­ble to fool the scan­ner us­ing high-res­o­lu­tion pho­tos of the eye taken on night mode with cer­tain cam­eras (which use in­frared for il­lu­mi­na­tion), but those are much more dif­fi­cult to ac­quire than just a face photo. So this way is bet­ter than older An­droids’ face recog­ni­tion, but far from 100% se­cure.

On An­droid, it’s up to the de­vice man­u­fac­turer to de­cide how many at­tempts you get, too. Some fol­low Ap­ple’s model, others sim­ply put ever-in­creas­ing time­outs af­ter each failed at­tempt. Some (like Sam­sung) com­bine the two — you get time­outs af­ter five failed at­tempts, but if you keep try­ing, it will even­tu­ally lock you out com­pletely. De­pend­ing on the phone model, you may also get a last-ditch chance to un­lock the An­droid us­ing your Google Ac­count.

If it does get locked, un­less you’ve in­stalled an app that lets you re­motely re­set the pass­code (such as Google Mo­bile Man­age­ment), you’ll likely have to do a fac­tory re­set and then re­store the phone from a backup. Typ­i­cally, you’ll turn off the phone, then hold the vol­ume down and power but­ton si­mul­ta­ne­ously. That will take you to the re­cov­ery screen, where you can per­form a fac­tory re­set. If you’ve reg­is­tered the phone with Google, you should then be able to re­store it from a backup.

We should make a special note about a re­cent change to iOS de­vices here. There are spe­cific hard­ware de­vices such as the GrayKey ( com­monly used by law en­force­ment, that can be plugged into the Thun­der­bolt port of an iPhone that will hack the pass­code. In or­der to pre­vent these de­vices from work­ing, Ap­ple re­cently added the op­tion USB Re­stricted Mode to iOS. When ac­ti­vated (it can be found in the se­cu­rity set­tings), this switches off the Thun­der­bolt port if the phone has been in­ac­tive for one hour. This means that a hacker has just one hour to crack the phone be­fore the port be­comes un­us­able — al­though se­cu­rity re­searchers have found that con­nect­ing any de­vice to the port within

that hour time­frame re­sets the timer.

Ap­ple claims that there is only a one-in-50,000 chance of fool­ing its fin­ger­print scan­ner.

Face recog­ni­tion de­buted on the An­droid-based Galaxy Nexus in 2012.

Ap­ple’s new Face ID, found in the iPhone X, takes a 3D scan of your face.

Sam­sung’s iris scan­ner il­lu­mi­nates the eye with a special light.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.