Mobile biometrics still in infancy

Johannesburg, 17 Apr 2014
Both Samsung and Apple's high-end devices have been cracked by using a false finger on their newly incorporated biometrics technology.
Both Samsung and Apple's high-end devices have been cracked by using a false finger on their newly incorporated biometrics technology.

The trend of fingerprint biometrics on mobile phones represents a step in the right direction, but security-wise the technology is far from fail-safe.

This is according to security experts, on the back of German research company Security Research Labs' recent bypassing of the Samsung Galaxy S5's fingerprint scanner. A researcher from the company used a wood glue copy from a mould, taken from a photo of a latent fingerprint left on a smartphone screen, to unlock the phone and access PayPal.

Seven months ago, after Apple brought out its latest iPhone, the 5S, with TouchID fingerprint technology, the same vulnerability was exposed. In fact, even a cat's paw was able to unlock the new smartphone. The difference is, while Samsung allows users unlimited authentication attempts, Apple limits this to five - after which the user needs to enter a password to gain access.

Infant tech

Kenny Matima, security consultant at Wolfpack Information Risk, says fingerprint sensor technology is still in its infancy on commercial mobiles. "At present, the technology is not at the point where biometrics can be used as a reliable security feature. As the person who 'hacked' the iPhone TouchID said, 'fingerprint biometrics is unsuitable and should be avoided'. I believe he is correct. At the moment, biometrics on mobiles isn't where it should be, but it is a start in the right direction."

SensePost CTO Dominic White says, however, passwords are past their due and the mobile industry needs investment in alternatives or better ways of doing authentication. "Also, discovering vulnerabilities in a product, and discussing them, is the way our industry makes things better. It's not clear yet that biometric authentication on phones is dead in the water, and I look forward to seeing if the manufacturers move to build in better protections against these attacks."

Matima agrees, saying fingerprint scanners on smartphones constitute a natural evolution for authentication on mobile devices. "I see fingerprint scanners as the natural progression of the 'what you are' authentication method from conventional devices to mobile devices. I see this as a way of the future as companies continue to try to replace or complement passwords and tokens with something perceived to be more secure."

Manuel Corregedor, operations manager at Wolfpack Information Risk, says currently the main drawback with the technology on mobile devices is that the fingerprint readers are not as advanced as conventional ones when it comes to detecting "liveness" (that is, detecting whether the finger being presented is a real living finger or a fake finger).

"The lack of advanced liveness testing makes it significantly easier to fool the device. Mobile device manufacturers could enhance the security of their fingerprint scanning technology by improving the hardware device itself that reads the fingerprint."

Dangerous defect

Security Research Labs says the security feature "leaves much to be desired" and it is concerning that Samsung has not learnt from what others have done. The flaw allows "unlimited" authentication attempts on applications without ever requiring a password, it adds.

As a result, attackers can gain access to PayPal and help themselves to funds by learning the "simple" skill of fingerprint spoofing, says Security Research Labs. It notes the manufacturer has a responsibility to implement biometrics in such a way that does not put users at risk.

Security Research Labs says using fingerprints as credentials for local user authentication has two shortcomings when compared to passwords: once a fingerprint gets stolen, there is no way to change it; and users leave copies of their fingerprints everywhere; including on the devices they protect.

Other current devices with touch and swipe sensors are equally duped by spoofs, including the Thinkpad laptop, a Fujitsu smartphone, and an iPhone 5S, it notes.