PrintListener: remote fingerprint theft

IoT 3周前 admin
24 0 0

PrintListener: remote fingerprint theft

Researchers from the U.S. and China recently published a paper proposing a mindboggling new method of fingerprint theft…

Imagine you get a call from a cybercriminal; or you connect via your smartphone to a conference call that an attacker has access to. During either call, you’d something on your phone, which, naturally enough, involves sliding a finger across its screen. The sound of such a movement is clearly audible through the phone’s built-in mic, allowing the threat actor to record and analyze the sound. From this, they can recreate enough fragments of the fingerprint to unlock your phone using an “artificial finger”! Just think about it: the gentle friction of your finger sliding over the screen can reveal the pattern on the fingertip — a side-channel attack of exquisite beauty!

How to steal a fingerprint through audio

The general schematic of the new PrintListener attack is given in the image:
新 PrintListener 攻击的一般原理图如下图所示:

PrintListener: remote fingerprint theft

If the potential victim swipes the screen during a call, the attacker can reconstruct parts of the fingerprint from the sound it makes. Source

When the user moves a finger across the surface of the screen, it produces a noise almost inaudible to the human ear. These “rustling” sounds differ depending on which particular loops, arches, and swirls and whirls on the fingertip come into contact with the screen. If the noise is captured by the device’s mic and later analyzed, based on the data obtained, the approximate pattern of these ridges can be determined.

PrintListener: remote fingerprint theft

The pronounced features of a fingerprint are key to determining whether a scanned print is identical to the one previously saved. Source

The authors of the paper took great pains to make the study as true to life as possible. First, to avoid having to find such hard-to-detect events manually, they created an automated system to search for sounds similar to a finger being swiped across the screen. Second, they created a large database of photos of fingerprints and the corresponding sounds of finger swipes in different directions, with different background noise, for different smartphone models, and other parameters.

A total of 65 volunteers took part in the experiment, in which 180 fingers were scanned. The data was processed by a machine-learning algorithm. The trained algorithm was able to predict with confidence certain fingerprint characteristics solely by the sound of finger movement across the surface of the smartphone.
共有 65 名志愿者参加了实验,其中扫描了 180 根手指。数据由机器学习算法处理。经过训练的算法能够仅通过手指在智能手机表面移动的声音来自信地预测某些指纹特征。

How effective is PrintListener?
PrintListener 的效果如何?

PrintListener is by no means the first attack on fingerprint scanners. In 2017, a paper was published laying out a scheme in which, instead of the user’s real fingerprint, a synthetic one with random fingerprint patterns was applied to the scanner. And in some cases, it worked! Why? In many modern smartphones, the fingerprint scanner is built into the power button and is pretty narrow. By definition, such a scanner can only see a fragment of the fingerprint. What’s more, the scanner is focused squarely on the pronounced features of the fingerprint pattern. If some loop or swirl on the synthetic finger matches any on the real one, the scanner can authorize the user! The attack was dubbed MasterPrint.
PrintListener 绝不是对指纹扫描仪的第一次攻击。2017 年,发表了一篇论文,提出了一种方案,其中将具有随机指纹图案的合成指纹应用于扫描仪,而不是用户的真实指纹。在某些情况下,它奏效了!为什么?在许多现代智能手机中,指纹扫描仪内置于电源按钮中,并且非常窄。根据定义,这种扫描仪只能看到指纹的片段。更重要的是,扫描仪完全专注于指纹图案的明显特征。如果合成手指上的某些环或漩涡与真实手指上的任何环或漩涡相匹配,扫描仪可以授权用户!这次攻击被称为MasterPrint。

Another important parameter of scanner performance is the rate of false positives. The ideal scanner should only validate a fingerprint if the pattern is a 100% match. But such perfection is unworkable in the real world. Two swipes are never the same — the user’s finger may be at a different angle, a little higher, or a little lower. The finger may be dry or wet, dirty or cut. To take this into account, the scanner is configured to validate not only 100% matches but “good enough” ones as well. This inevitably leads to false positives: when the scanner mistakes a wrong print for the true one. The typical percentage of unwanted positives varies from 0.01% (in the strictest case) to 1%. The latter makes life easier for the user but increases the likelihood that someone else’s finger could unlock the device.
扫描程序性能的另一个重要参数是误报率。理想的扫描仪应该只在图案 100% 匹配时验证指纹。但这种完美在现实世界中是行不通的。两次滑动永远不会相同——用户的手指可能处于不同的角度,可能更高一点,也可能更低一点。手指可能干燥或潮湿、脏污或割伤。考虑到这一点,扫描仪不仅要验证 100% 的匹配,还要验证“足够好”的匹配。这不可避免地会导致误报:当扫描仪将错误的打印件误认为是真实的打印件时。不需要的阳性的典型百分比从 0.01%(在最严格的情况下)到 1% 不等。后者使用户的生活更轻松,但增加了其他人的手指解锁设备的可能性。

The MasterPrint attack showed that a synthetic fingerprint with some similarly shaped loops or swirls was partially recognized in 2.4–3.7% of cases — and on the first try at that. If multiple attempts are allowed, the likelihood of a false positive rises considerably. In the study, given 12 consecutive swipes, a fake fingerprint got validated 26–30% of the time! In those experiments, the false positive rate was 0.1%.
MasterPrint攻击表明,在2.4-3.7%的情况下,具有一些类似形状的环或漩涡的合成指纹被部分识别 – 并且在第一次尝试时。如果允许多次尝试,则误报的可能性会大大增加。在这项研究中,连续滑动 12 次,假指纹在 26-30% 的时间内得到了验证!在这些实验中,假阳性率为0.1%。

The PrintListener attack takes the ideas of the 2017 MasterPrint paper and develops them further. Processing the audio information permits detection of the presence of pronounced ridges with a high degree of certainty. This then makes it possible to attack the scanner not at random, but using a fingerprint feature reconstructed from the audio. An attacker can then 3D-print a finger with a synthetic fingerprint that contains this feature.
PrintListener 攻击采用了 2017 年 MasterPrint 论文的想法并进一步发展它们。通过处理音频信息,可以高度确定地检测出明显脊的存在。这样就可以不随机地攻击扫描仪,而是使用从音频中重建的指纹特征。然后,攻击者可以使用包含此功能的合成指纹 3D 打印手指。

With an acceptable false positive rate of 0.1%, the PrintListener attack successfully duped the fingerprint scanner 48–53% of the time. A more stringent scenario, with an acceptable false positive rate of 0.01%, still saw the biometric scanner get hacked in 7.8–9.8% of cases. That’s a significant improvement on MasterPrint. Moreover, in each case, no more than five attempts were made to scan the synthetic finger, which corresponds to real-life restrictions on biometric authorization in these same smartphones.
PrintListener 攻击的误报率为 0.1%,在 48-53% 的时间内成功欺骗了指纹扫描仪。更严格的情况是,可接受的误报率为0.01%,但生物识别扫描仪在7.8-9.8%的情况下仍然被黑客入侵。这是对 MasterPrint 的重大改进。此外,在每种情况下,扫描合成手指的尝试不超过五次,这与这些智能手机中对生物识别授权的现实限制相对应。

Biometrics pros and cons

We covered the traditional risks associated with fingerprint scanners in a previous post. In short, they’re not an ideal means of authorization in any way. It’s actually quite easy to steal your fingerprint using traditional methods. People always leave fingerprints on the objects and surfaces they touch. In some cases, it’s even possible to extract a usable print from a photograph. And not just from a close-up of your fingers — an ordinary high-res shot taken from a reasonable distance of three meters would do.

The simplest scanners can be fooled by a printout of stolen biometric information. This trick won’t work with the ultrasonic sensors found under modern smartphone displays, but, again, it’s possible to 3D-print an artificial finger with the required pattern. A problem common to all biometric authentication systems is that such information is hard to keep secret. And, unlike a password, you can’t change your fingerprint if it’s compromised.

That’s not to say that the new paper gives new reasons to worry about our data security. The imperfect nature of biometrics is already factored into the logic of the sensors in the devices we use. It’s precisely because a fingerprint is fairly easy to misrecognize that smartphones regularly ask us to enter a PIN or confirm an online purchase with a password. In combination with other security methods, fingerprint scanners aren’t all that bad. Such protection against unauthorized access is better than none at all, of course. Remember, too, that a simple digital unlock code for a smartphone can also be snooped or brute-forced based on traces left on the display.

Nevertheless, the PrintListener attack is indeed remarkable, allowing as it does to pull valuable fingerprint data from the unlikeliest of sources. The attack scenario also looks quite realistic —similar in concept to previous studies in which user keystrokes were recognized by sound. One might conclude from all this that it’s best to refrain from touching your screen during a call or online meeting. But the moral of the story is actually simpler: don’t protect highly sensitive information — especially confidential business-related data — with biometrics alone.
尽管如此,PrintListener 攻击确实非常出色,它允许从最不可能的来源中提取有价值的指纹数据。攻击场景看起来也非常逼真,在概念上与以前的研究相似,其中用户击键是通过声音识别的。人们可能会从这一切中得出结论,最好不要在通话或在线会议期间触摸屏幕。但这个故事的寓意实际上更简单:不要仅用生物识别技术来保护高度敏感的信息,尤其是与业务相关的机密数据。

原文始发于Enoch Root:PrintListener: remote fingerprint theft

版权声明:admin 发表于 2024年3月22日 下午11:37。
转载请注明:PrintListener: remote fingerprint theft | CTF导航