An anonymous reader cites a report from Tom's Hardware. An interesting new attack on biometric security has been outlined by a group of researchers from China and the United States. PrintListener: Discovery of vulnerability in fingerprint authentication using finger friction sounds [PDF] proposed a side-channel attack against the Advanced Automated Fingerprint Identification System (AFIS). This attack uses the acoustic signature of a user swiping their finger across a touchscreen to extract features of a fingerprint pattern. After testing, the researchers claim that they can “successfully attack up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR.” [False Acceptance Rate] Setting of 0.01%. ” This is said to be the first study to utilize swipe sounds to infer fingerprint information.
Without contact marks or detailed photos of fingerprints, how can an attacker obtain fingerprint data and enhance the results of MasterPrint and DeepMasterPrint dictionary attacks on a user's fingerprint? One of the answers is as follows: “Finger swipe fricatives are likely to be captured by online attackers,” the PrintListener paper states. The source of the finger swipe sound can be common apps such as Discord, Skype, WeChat, and FaceTime. It's a chatty app that causes users to perform inadvertent swipe actions on the screen while the device's microphone is active. Hence the side channel attack name is PrintListener. […]
To prove this theory, scientists actually developed an attack research called PrintListener. Simply put, PrintListener uses a set of algorithms to preprocess the raw audio signal, which is then used to generate a target composite signal for a PatternMasterPrint (a MasterPrint produced by a fingerprint with a specific pattern). will be done. Importantly, PrintListener has been extensively experimented “in real-world scenarios” and, as mentioned in the introduction, facilitates successful partial fingerprint attacks in more than 1 in 4 cases and in almost 10 cases. In one case, a complete fingerprint attack can be successful. These results far exceed the MasterPrint fingerprint dictionary attack alone.
