Smartphone sensors pose a serious security risk
As more people look for ways to protect their smartphones from hackers and criminals, we look for additional means beyond typing in a PIN. A popular method now is fingerprint analysis, where users can place a finger on their phone to unlock it or to make a purchase. And as crime shows and police officers have told us for decades, every fingerprint is completely unique and is an absolutely certain method to identify different people.
However, researchers with the NYU Tandon School of Engineering announced via a press release in April that they have essentially created a fingerprint hack called MasterPrint, which can match “between 26 and 65 percent” of users’ fingerprints. The researchers took advantage of weaknesses in how phone fingerprinting security works, particularly their small screens, and by exploiting the differences between partial and full fingerprints.
There are various aspects of this test that would make it difficult to apply to a real-life attempt to break into someone’s phone, and users may look at how this hack may still fail more than half the time and conclude there is nothing to worry about. But this test, as well as other attempts to take advantage of phone sensors, shows that technological is not a security substitute for taking a proactive security approach.
Partial and full fingerprints
Those of you who watch too much CSI may be aware of full fingerprints, which look at all the ridges and grooves of a fingerprint to identify a person, versus partial fingerprints, which use fewer data points. Fingerprint sensors on a phone rely on partial scans. This is partly due to how a small phone screen means fewer sensors, and partly because if sensors used a full fingerprint, they may not recognize the owner’s fingerprint due to smudges or a wet screen.
The NYU researchers thus first looked at finding human fingerprints that possessed common attributes that could serve as a MasterPrint, which could let them unlock other phones. They found on average almost one MasterPrint for every eight partial prints, compared to one for every 800 full prints. After that, the researchers constructed the aforementioned MasterPrint, which had a higher success rate with partial prints, showing the security problems behind relying on partials
While these results show that fingerprint sensors are not foolproof, security expert Andy Adler stated to the New York Times that “it’s almost certainly not as worrisome as presented, but it’s almost certainly pretty darn bad.” For one thing, criminals would have to construct a working MasterPrint and would then have to get physical access to a smartphone. Even under those circumstances, the MasterPrint would fail much more often than not.
But over the long run, a criminal who could repeatedly grab others’ phones would be able to use it to break in. And as the NYU researchers stressed, the important thing to take away from their findings is that phone companies cannot become complacent about their fingerprinting sensors. Research team leader Nasir Memon said that “”As fingerprint sensors become smaller in size, it is imperative for the resolution of the sensors to be significantly improved in order for them to capture additional fingerprint features.”
Other sensors are dangerous
The fact that fingerprint scanners have proven to be fallible should encourage users to rely on more traditional measures such as a PIN. But even a PIN can be vulnerable to other sensors, as hackers can spy on you with iOS reverse engineering and figure out your PIN just by how you tilt your phone.
These dangerous sensors include sensors that most people are not aware of, such as your phone’s gyroscope and rotation sensors. Researchers from Newcastle discovered that if a hacker can gain access to those sensors, they can detect small differences in how you tilt your phone to type in digits to guess the correct PIN number. The researchers found that they could correctly identify the PIN through examining the sensors 70 percent of the time on the first attempt and hit 100 percent by the fifth attempt.
If that was not bad enough, malicious programs often do not need to ask permission to use these sensors. By opening up a malicious webpage or app, hackers can spy on your phone and gain access to data through these sensors.
Good security measures
Far too many users are uncertain about what their sensors do or are convinced that said sensors will provide them with absolute security. But there is no shortcut for implementing basic security measures. While 100 percent security can never be guaranteed, even implementing basic measures like locking your phone (which a shockingly high numbers of users do not do) will often persuade hackers to move on to easier prey.
Be careful about using apps or web pages, do not recklessly grant permissions, regularly change your PIN and update often. Technology like fingerprint sensors can be useful and despite NYU’s findings are still better than no protection at all. But the best protection is cautioun and common sense.