Swipe Right Into Danger

With our increasing reliance on smartphones, tablets, laptops, and other connected devices for various personal and professional activities, ensuring that only authorized individuals can access sensitive information is critically important. Strong authentication methods serve as the first line of defense against unauthorized access, protecting users' data from malicious actors and other threats.

Unauthorized access to devices can lead to the theft of sensitive personal information, financial data, or intellectual property. It can also result in identity theft, fraud, and privacy breaches, causing significant harm to individuals, businesses, and organizations. Moreover, compromised devices can be used as gateways for further attacks, putting entire networks and systems at risk.

Biometrics, such as fingerprints, have emerged as increasingly popular authentication methods due to their convenience and perceived security. Unlike traditional passwords or PINs, biometric identifiers are unique to each individual, making them harder to replicate or spoof. Fingerprint authentication, in particular, has become ubiquitous in smartphones and other devices, offering users a seamless and secure way to unlock their devices and authenticate transactions.

However, the security of fingerprint-based authentication methods has come under scrutiny with the emergence of techniques like DeepMasterPrints. DeepMasterPrints exploit vulnerabilities in fingerprint recognition systems by generating synthetic fingerprints that can fool the authentication system into granting unauthorized access. While this method has raised concerns about the reliability of fingerprint authentication, it is important to note that it typically only works about 1 in 100 times when using secure hardware.

An unexpected attack vector revealed by researchers at the Huazhong University of Science and Technology and the University of Colorado Denver may have us rethinking fingerprint authentication security once again. They have demonstrated that by using the sound of a finger swiping across a device’s screen, the accuracy of attacks like DeepMasterPrints can be greatly enhanced. This sort of audio can be acquired relatively easily from voice chats or video calls, and can increase the success rate of attacks to almost 28 percent in certain situations.

The team’s method, named PrintListener, first processes audio acquired by eavesdropping on sound from a social network to remove noise. High-pass filters eliminate low-frequency noise, then a spectrum density analysis method isolates segments of the finger friction sound. A waveform resampling is finally applied to optimize the quality of the audio.

After the raw finger friction sound has been extracted, interpretable audio features are extracted with a spectrogram analysis followed by mRMR feature selection. A VGG-like deep neural network is then utilized to map these features to their predicted corresponding fingerprint patterns. These predictions are then leveraged to select the closest matches from databases of synthetic fingerprints, like those generated by DeepMasterPrints.

A large number of experiments were conducted to determine how well the PrintListener exploit works under real-world conditions. It was discovered that, when used to simulate a partial fingerprint (as is generally needed for authentication on a smartphone), PrintListener was successful in 27.9 percent of cases when given five attempts. Even when a full fingerprint is needed by a more secure device, the technique worked within five attempts in 9.3 percent of cases. Working after just a few attempts is important, as most devices will lock the user out for a time after five failed attempts.

To counter their exploit, the researchers suggest that social media apps limit the sample rate of audio, as this will make the attack ineffective. Alternatively, a more sophisticated approach involving the use of automatic speech noise reduction to remove finger swiping noises could be utilized.