Threat Identified to Fingerprint Security for Phones

A team of American and Chinese researchers claims to have found a way to exploit a vulnerability in a widely used biometric authentication method used to secure smartphones.

The researchers say their study is the first to use the sound of a user's swipe to infer their fingerprint and that it "rings the alarm bells" over personal, and even national security.

In the wrong hands, such technology could threaten a wide range of people without their knowledge.

The finger movements of online gamers, for example, could be detected via microphone as they interact with other players. Users of social media platforms like Facebook or China's WeChat are also at risk of having their fingerprint patterns collected and synthesized.

Biometrics like finger scans and facial recognition are widely trusted as means of securing mobile devices. A forecast released last April by Acumen Research predicted the fingerprint identification market would skyrocket from $12.7 billion in 2022 to nearly $100 billion by 2032.

However, more sophisticated methods of fooling fingerprint scanners are steadily being innovated.

As early as 2018, researchers at New York University's School of Engineering used machine learning and artificial intelligence to develop deep master prints—or artificial partial fingerprints functioning as a "skeleton key" capable of unlocking random fingerprint-secured smartphones about a third of the time.

The new study, carried out by cyber scientists at the University of Colorado Denver and their colleagues at China's Huazhong University of Science and Technology Wuhan and Tsinghua Universities, has built on this technology further by testing an attack relying on sound.

"It capitalizes on the built-in microphones in electronic devices, such as smartphones, to capture the faint friction sounds generated by finger movements across electronic screens. Subsequently, the user's fingerprint patterns are inferred from these sounds," the authors wrote.

"These finger-sliding friction sounds will be transmitted to the other party by social communication software as well as malware with recording permission," they said.

One of the authors of the study, Li Zhengxiong, told Newsweek there is "a tangible risk that cyber criminals might exploit similar vulnerabilities. Considering the practicality of these techniques, it is plausible that cyber criminals, with enough interest and resources, could develop comparable methods."

Asked how hardware developers might counter such an attack, Li said: "Developers can prioritize enhancing acoustic privacy and security in smart device designs. This could involve integrating noise-dampening materials, employing algorithms to detect and obfuscate acoustic side-channel signals, and developing user authentication methods that are less vulnerable to such attacks."

Routine security checks to pinpoint new vulnerabilities is also an important of the changing cyber threat landscape, the researcher added.

The system, which they call PrintListener, has two advantages. One is "stealthiness," as it requires no extra hardware beyond a device's built-in microphone to "capture the faint friction sounds generated by finger movements across electronic screens."

The other advantage is that since it works through master print sequences, PrintListener does not need extensive training on specific individuals. It can carry out more effective dictionary attacks on phones whose users share a similar pattern.

Citing "extensive experimental results in real-world scenarios," the authors claim their system can successfully attack up to 26.5 percent of partial fingerprints and 9.3 percent of complete fingerprints in five attempts or fewer at the highest false acceptance rate setting.

Update 2/23/24, 9:00 a.m. ET: This story was updated with a comment from Dr. Li Zhengxiong.