[HN Gopher] Fingerprints can be recreated from the sounds made w...
___________________________________________________________________
Fingerprints can be recreated from the sounds made when you swipe a
screen
Author : moose44
Score : 104 points
Date : 2024-02-20 15:18 UTC (7 hours ago)
(HTM) web link (www.tomshardware.com)
(TXT) w3m dump (www.tomshardware.com)
| lvncelot wrote:
| Firstly, wow, that is absolutely insane.
|
| I'm wondering about this part though:
|
| > The source of the finger-swiping sounds can be popular apps
| like Discord, Skype, WeChat, FaceTime, etc. Any chatty app where
| users carelessly perform swiping actions on the screen while the
| device mic is live.
|
| Is there really enough information left for this method after the
| sound has been lossily compressed by any of those apps?
| westmeal wrote:
| that was my first thought too, this kind of reminds me of the
| 'figure out which key was pressed by listening to keystrokes'
| trick.
| samatman wrote:
| That attack is more about timing than about sound. There is
| some information available from the sound of a keystroke,
| with a very good microphone under ideal conditions each key
| could be identified uniquely, but that's not the main vector.
| Some sequences are easier to type than others by their very
| nature, and individual typists have idiosyncratic variance in
| how easily/fast/accurate they are at a given sequence. That's
| the main trick used to derive what's typed from a recording
| of it happening, and compression doesn't reduce that
| information, so long as the keypresses are audible.
| justinzollars wrote:
| This reads like a thrilling bond film. Scary!
| neontomo wrote:
| I suppose I have to start shouting every time I swipe my screen
| now.
| qrobit wrote:
| I am by no means competent but I believe frequencies of swiping
| and frequencies of you shouting differ substantially which will
| allow to separate them
| neontomo wrote:
| I would assume you're correct if they were the same level of
| audio, but my joke was about overpowering the swiping sound
| entirely, to the point where a microphone wouldn't be able to
| pick it up anymore.
| hn_throwaway_99 wrote:
| This would be amazing if true, but after being burned on a bunch
| of "too crazy to be true" tech stories recently (toothbrush bot
| armies anyone?) I'm very skeptical. The idea that there is enough
| resolution in the sound of a finger swipe to determine the
| fingerprint ridges on that finger is really suspect to me.
| arp242 wrote:
| I also have to admit my skepticism. Skimming through the paper,
| I don't think they emulated "real-world conditions" as claimed
| in the conclusion. They had participants swipe the screen 25
| times in a row. Real-world conditions would be giving them 12
| hours of recording throughout the day, or something like that,
| because knowing when and where to look is probably a major
| challenge on its own.
|
| I'll also add that even if true, it's probably not a huge
| practical issue. Fingerprints are mostly used to secure
| personal devices: phones, sometimes computers. If I were to
| have your full fingerprints then that would be mostly useless
| because I don't have access to your physical device. Even
| things like "purchase on App Store with fingerprints" usually
| works by having the fingerprint only secure a key on the device
| itself (rather than sending the fingerprint data over the
| network).
|
| And if you have access to your physical devices, then I almost
| certainly also have access to your fingerprints via the good
| ol' "dust for prints" technique.
|
| There was a "fingerprints for everything!" push a decade or so
| ago, and that was harshly criticized because you leave
| fingerprints _everywhere_ , and you can even lift them from
| photographs.
|
| Certainly the "enormous economic and personnel losses, and even
| a potential compromise of national security" claim at the start
| of the paper seems rather exaggerated, even hysterical.
| PeterisP wrote:
| I don't think that real-world conditions would be giving them
| 12 hours of recording throughout the day - a malicious app
| that explicitly asks people to swipe left/right on pictures
| of kittens is a very realistic attack scenario and would know
| exactly when and where to look for the swipes.
| mzs wrote:
| paper is pretty convincing: https://www.ndss-symposium.org/wp-
| content/uploads/2024-618-p...
| kurthr wrote:
| Actually, there are two things that stick out to me in the
| paper. 1 The low FAR (False Accept Rate) is
| unbelievably high at 0.01% 2 The "partial prints" are
| described as single or "mixed" minutia
|
| The FAR is 1-2 orders of magnitude off of even cheap mobile
| device authentication.
|
| The described size of the partial prints imply that the
| relative location of partials is not extractable.
|
| Since most fingerprint matchers rely on multiple (3-4)
| minutiae _at a minimum_ and their relative location along
| with ridge orientation and pitch correlations it seems like
| this doesn 't provide necessary information. More
| importantly, even with more information it can't construct
| that relative information, because it can't resolve
| symmetries (certainly not without knowing the direction of
| motion for the swipes and the orientation of the finger)
| correlated with those sounds. That requires other out of band
| information.
|
| It's interesting work, but there's probably a reason that you
| don't see fingerprint matchers with decent FAR/FRR using only
| the microphone on a mobile device and some software. There
| are a $B reasons to develop that every year, and yet there
| hasn't been one developed for 15-20 years.
| PeterisP wrote:
| Why wouldn't it know the direction of motion for the swipes
| and the orientation of the finger? Any mobile app has
| access to the touchscreen input which provides exactly that
| information.
| araes wrote:
| As far as I can tell, they don't actually draw a fingerprint
| from the point cloud they form, yet generally I agree.
|
| Some seem to be saying its not that bad from a personal
| credit card or phone unlocking thief perspective. However, my
| main concern is with large nation state groups that have
| access to pre-existing fingerprint database files.
|
| There's something here that feels like the NSA, FBI,
| FSO/Spetssvyaz, 3/4PLA, Unit 8200, GCHQ, BfV, DGSE, CSE,
| TERM, and ISI would probably all have their "figurative" ears
| perk up.
| lynndotpy wrote:
| The 'toothbrush bot armies' are entirely believable though. The
| story was not real, but is completely within the realm of
| reality.
|
| E.g. Perhaps the toothbrush has a connectivity check to OralB
| servers that triggers once per hour, but you can change it to
| check a victim webpage once a millisecond.
|
| Smart toothbrushes (and/or their docks) have little computers
| inside of them. Oral B smart toothbrushes offered an API _eight
| years ago_ https://github.com/dukescript/dukebrush as well as a
| real-time web API:
| https://web.archive.org/web/20160310121235/https://developer...
|
| All there would need to be is an exploit that allows someone to
| (1) identify and talk to the toothbrushes, (2) coerce the
| toothbrush to ping an arbitrary IP, and (3) cause step 2 to
| happen many times for just one trigger.
| hn_throwaway_99 wrote:
| > The story was not real, but is completely within the realm
| of reality.
|
| Of course. A good lie is defined by it being relatively
| believable. Re: the viability of the exploit, my
| understanding is that most smart toothbrushes do _not_
| connect to the Internet, and even if they did, the huge
| numbers originally presented in the story (3 million
| toothbrushes) are astronomically high.
| lynndotpy wrote:
| Yeah; even ~300K or so (like Mirai in 2016) would be
| surprisingly high.
| kube-system wrote:
| Yes it has an API, but that doesn't mean it's on the
| internet. To connect via that API you have to connect to the
| toothbrush via bluetooth.
| TeMPOraL wrote:
| Bluetooth is a PITA, low-budget "smart" devices are all
| becoming Wi-Fi now.
| kube-system wrote:
| Nevertheless, no major toothbrush manufacturers use Wi-
| Fi. Oral B and Philips connected brushes all use
| bluetooth.
| lynndotpy wrote:
| I know someone who owns an "Oral-B iO series 10" and they
| said they connected it directly via Wi-Fi. It's possible
| they got it wrong, but multiple product reviews on the
| internet explicitly mention difficulties getting their
| Wi-Fi password onto the device.
| ben_w wrote:
| I can't help but feel blue _tooth_ is the wrong symbolism
| for a _tooth_ brush.
| lynndotpy wrote:
| > Yes it has an API, but that doesn't mean it's on the
| internet.
|
| See the second link, the "Web API" section. This is the
| part tells me that it's on the internet.
|
| > WEB API
|
| > The Oral-B cloud service offers fast and reliable real-
| time access to Oral-B brushing activity. Fetch brushing
| data ranging from session frequency and duration to
| activity stats, achievements and more. Integrate brushing
| activity data* with health or lifestyle applications.
|
| I don't know about all the older models, but I know the
| latest Oral-B smartbrush connects directly to the internet
| using Wi-Fi.
| yorwba wrote:
| The toothbrush bot army story got started by a Swiss newspaper
| writing about a scenario they heard from a cybersecurity
| company and claiming that even though it sounds like a
| Hollywood movie, "this really happened". When the company in
| question was reached for comment, they said it was
| hypothetical.
|
| In the end, the story's spread can be explained by a
| journalist's simple misunderstanding that made the story much
| more virulent.
|
| In this case, the journalist probably also doesn't understand
| the technical details, _but_ we have a link to the researchers
| ' own write-up right there in the article, which makes it much
| easier to rule out simple misunderstandings. So the situation
| is completely different.
|
| That said, they're not reconstructing the fingerprint ridges
| from the sound the way you're probably imagining. Instead, they
| build on an existing attack exploiting fingerprint readers'
| error tolerance with a set of "masterprints" that are unusually
| likely to be accepted as a match, and the sound is used to
| determine which masterprint to use first.
| hn_throwaway_99 wrote:
| > In the end, the story's spread can be explained by a
| journalist's simply misunderstanding that made the story much
| more virulent.
|
| Bollocks, you're letting the "journalist" off way too easily.
| That toothbrush story was simply "a story too good to vet",
| meaning, sure, the author had a convenient excuse blaming it
| on a "misunderstanding", and while I don't believe the author
| was necessarily lying, I do believe they had no incentive to
| dig any more deeply because the toothbrush bot army story was
| already clickbait enough.
| lupusreal wrote:
| Journalists seem to do an awful job with the kind of
| stories I understand, but surely they do better most of the
| time...
| CaptainFever wrote:
| Ah, the Gell-Mann Amnesia Effect.
|
| https://theportal.wiki/wiki/The_Gell-Mann_Amnesia_Effect
| tgsovlerkhgsel wrote:
| The newspaper claims that they explicitly asked for and
| received confirmation.
| yau8edq12i wrote:
| The toothbrush botnet story was also spread by tom's hardware
| in the English-speaking world. It seems like what they publish
| should be taken with a spoonful of salt.
| longwave wrote:
| If this is true does this mean we don't need fingerprint scanning
| hardware any more, but we can just use a microphone and software
| to unlock a device when the user runs their finger over any
| convenient surface?
| amanj41 wrote:
| Given the full fingerprint reconstruction rates, it would
| likely be a while until the tech is reliable enough to do that,
| if ever.
| schaefer wrote:
| >> Following tests, the researchers assert that they can
| successfully attack "up to 27.9% of partial fingerprints and 9.3%
| of complete fingerprints within five attempts at the highest
| security FAR [False Acceptance Rate] setting of 0.01%."
|
| I wonder if I'm in the lucky majority, and my fingerprints sound
| secure
| deadbabe wrote:
| Pretty soon the sound of a heart beating when a person enters a
| room will allow you to easily identify them.
| nonrandomstring wrote:
| Why bother when you can pick them up from any doorhandle, coffee
| cup, pen, table surface, or just a photograph at super high-res.
|
| Biometrics are form of (dubious) in-person identification, and
| their use for access control belongs in the all-time stupidest
| ideas in computing list.
| tommiegannert wrote:
| The nice thing about fingerprints is that if you refuse to give
| it to an adversary, they'll just cut the finger off. If your
| fingerprint doesn't work, you're clear.
|
| If you refuse to give them your password, there's virtually no
| limit to the possible extent of the torture. You can't prove
| that further torture is pointless.
|
| /s
| nonrandomstring wrote:
| Of course, but people who indulge in torture are not seeking
| information. They're seeking satisfaction.
| hn_throwaway_99 wrote:
| I'm pretty sure that people who indulge in torture often
| want information.
| nonrandomstring wrote:
| Sure they may want it. But let's talk about Afghanistan
| and Iraq and how that worked out.
| SushiHippie wrote:
| https://xkcd.com/538/
| nonrandomstring wrote:
| {{Alt-Text: Actual Actual Reality: Nobody really cares
| about his secrets. (Also, I would be hard pressed to find
| that wrench for $5.)}}
|
| If you're browing with javascript on and without text-only,
| you're missing a lot on the web ;)
| GrinningFool wrote:
| You can get the alt-text from hovering over the image.
| Even when js is on and text-only is off.
| SushiHippie wrote:
| And for xkcds you can also find it on
| https://explainxkcd.com/wiki/index.php/538:_Security
| whythre wrote:
| Actually successfully pulling prints(and getting more than
| smudgy partials) and then translating those lifted prints into
| something useable is somewhat time consuming and is not a
| trivial skill.
|
| Like most security measures, biometrics are typically 'good
| enough.'
| nonrandomstring wrote:
| > is not a trivial skill.
|
| True. Today. Tomorrow you will still have the same
| fingerprints.
| giantg2 wrote:
| "Why bother when you can pick them up from any doorhandle,
| coffee cup, pen, table surface, or just a photograph at super
| high-res."
|
| Most of those require being loated in the same area and
| generally even at a similar time (for high use areas). This
| would be more like the photo attack where you can be located
| far away.
| anigbrowl wrote:
| Because you don't always know where your subject is.
| nonrandomstring wrote:
| Aha, blind fingerprinting (literally) via audio? Yep that's a
| vector that wasn't on my mind. If you have a database could
| ID a remote user from swipes. That's a LE win. Fair do. I
| also discovered (about 2016 while working on audio phone
| apps) that we could already ID users from their tap patterns,
| finger length, style etc - but there's no common database of
| that, so less useful.
| giantg2 wrote:
| Should be easy to obfuscate if true - use gloves, use dirt/grit
| on the screen, use oily fingers.
|
| Edit:why disagree? I bet you could even create textured screen
| protectors with randomized patterns to obfuscate they swipe.
| karaterobot wrote:
| > "up to 27.9% of partial fingerprints and 9.3% of complete
| fingerprints within five attempts at the highest security FAR
| [False Acceptance Rate] setting of 0.01%."
|
| I wonder how "partial" is defined.
|
| But anyway, the fact that you can even hear any sounds of swiping
| feels odd to me. Is this just something Apple could filter out of
| the audio data it provides to applications? I know nothing about
| audio processing.
| caymanjim wrote:
| This reminded me of power line frequency[1] being used to
| identify when and where recordings were taken. Governments keep
| historical records of subtle changes in power frequency and can
| extract the background hum to identify location and time.
|
| 1:
| https://en.wikipedia.org/wiki/Electrical_network_frequency_a...
| m463 wrote:
| I wonder if they can do that with gps. Like record a short blip
| of "unlocked" gps spectrum, then recreate the location offline
| later using saved ephemerals and other data.
| thanatosmin wrote:
| Reading the paper, it looks like they just demonstrate
| classification by left loop/right loop/whorl. That's a long way
| from recreating a full fingerprint.
| whatshisface wrote:
| It's also a long way from what I had thought would have been
| possible.
| TeMPOraL wrote:
| And a good reminder that everything you do radiates
| information about it all the time, everywhere, at the speed
| of light.
| pixl97 wrote:
| My less polite way of saying this is
|
| "Entropy is a bitch"
| ben_w wrote:
| That's a very different point.
| pixl97 wrote:
| They are pretty similar. When you look at things like
| privacy and security in light of human actions and
| behaviors, then look at our ability to record the entropy
| from those actions, a whole lot of what we thought was
| private can be divined by those that can collect enough
| of this waste.
| whatshisface wrote:
| They're related by the time reversibility of quantum
| mechanics and the necessary implication that disorder is
| the broad mixing of initial information.
| dredmorbius wrote:
| s/at the speed of light/no faster than the speed of light/
|
| Information's radiation speed is variable. Lightspeed is
| its upper limit.
|
| Though yes, _some_ leakage occurs at lightspeed.
| Fingerprint sound should be somewhat slower in most
| instances.
| thebeefytaco wrote:
| >Extensive experimental results in real-world scenarios
| demonstrate that Printlistener can attack up to 26.5% of
| partial fingerprints and 9.3% of complete fingerprints within
| five attempts at the highest security FAR setting of 0.01%
| mathgradthrow wrote:
| Fingerprints aren't secure. You literally leave them on anything
| you touch.
| tomasreimers wrote:
| Reminds me of a sidechannel attack I demo'd in college:
|
| https://medium.com/@tomasreimers/axolotl-a-keylogger-for-iph...
| neonate wrote:
| https://www.ndss-symposium.org/wp-content/uploads/2024-618-p...
___________________________________________________________________
(page generated 2024-02-20 23:01 UTC)