Fingerprint recognition on smartphones unsafe and hackable

ELLIE DIERKING / COURTESY
ELLIE DIERKING / COURTESY

New ultrasonic technology to change personal information security

Smartphones, tablets and laptops have become so personalized that just the touch of a finger can unlock a device. Although this idea may seem foolproof to identity theft and fraud, new ultrasonic technology developed at UC Berkeley and UC Davis was created as a more secure way to protect personal information than modern finger recognition.

“Today [smartphone technology has] flaws. [It is] not extremely secure,” said Bernhard Boser, a professor in the UC Berkeley Department of Electrical Engineering and Computer Sciences.

While modern technology allows access to a device granted by an individual’s unique fingerprint, the 2D image of a print can be copied and used as a fake print that can fool a sensor.

An ultrasonic sensor developed to capture images inside of human tissue is responsible for the new fingerprint recognition sensor that has the potential to be installed in all types of mobile devices.

“We have two different technologies: one is the ultrasonic sensor in air, and the other is the ultrasonic sensor in tissue,” said David Horsley of the UC Davis Department of Mechanical and Aerospace Engineering and collaborator of the ultrasonic technology project.

The compact ultrasonic technology captures a fingerprint in 3D to uniquely identify a person, imaging both the ridges and valleys of a fingerprint surface as well as the tissue right beneath the skin.

“We have made a new system using ultrasound technology, and it is much better. This imaging process can look at the surface of fingerprints and inside the finger,” Boser said. “There are more patterns inside the finger that can’t be put onto glass screen of a phone.”

The ultrasonic technology can sense the subsurface structure of the skin, distinguishing between layers of tissue by analyzing the densities of live and dead skin cells.

The additional third dimension of the fingerprint image will make it more difficult for someone trying to steal a fingerprint to unlock a phone or to commit identity theft.

On human hands, natural oils and sweat create the thin, barely noticeable fingerprints left behind on surfaces we touch. It is relatively easy for those fingerprints to be collected. A fake fingerprint can be made by taking a picture of a left-behind print on a phone screen and then copying it using a Xerox machine or 3D printer.

“The smartphone essentially contains all the info it needs to unlock it. This is quite a big security hole,” Boser said.

Individual electronic devices are so convenient that information stored on them might not only be personal, but include medical and financial information through apps like Wallet and Health on the iPhone.

“Imagine features such as Apple Pay and others that depend on fingerprint recognition. You don’t want people stealing your personal or financial information, because it is possible,” Horsley said. “This is something to be concerned about, so having a better system that is more secure is necessary.”

The hackable 2D fingerprint recognition scanner can be replaced with the ultrasonic 3D fingerprint touch sensor in all devices that utilize fingerprints as a way to secure information.

The research behind the ultrasonic technology started in 2007 with a collaboration between UC Berkeley and UC Davis, with the development of piezoelectric-micromachined ultrasonic transducers (PMUTs).

These transducers, devices that convert one type of energy to another, were the basis of the 3D fingerprint sensor technology.

The ultrasonic technology used in fingerprint recognition was inspired by the ultrasonic scanners commonly used in medical settings, such as viewing images of a fetus via a sonogram. However, the fingerprint scanner technology is much more compact and able to be installed in portable electronic devices like phones, laptops and tablets.

“The fingerprint sensor works kind of like the medical sensor. […] We made a pulse that emits ultrasound, and the transducers receive returning information about the composition of patterns on and just beneath the surface of the skin,” Horsley said.

Although many devoted Apple customers were excited about the release of an iPhone with a fingerprint recognition unlock feature, there were customers who were hesitant about how secure it really was.

“When the iPhone first came out with a fingerprint recognition unlock feature, the next day people proved that you could unlock the phone using a re-created fingerprint via Xerox or 3D printer,” Horsley said.

Despite the proof of how unsecure a 2D fingerprint recognition system may be, Apple, Android and other major-brand products have continued to flourish among consumers.

Installing a 3D ultrasonic fingerprint sensor, rather than the current 2D print recognition in mobile devices, offers a new design to smartphones.

“By putting the fingerprint sensor beneath glass of the screen, that smartphone could be redesigned, essentially eliminating the home-button feature,” Horsley said. “This is definitely a possibility for the iPhone 8.”

A commercial smartphone already exists with a fingerprint sensor under the glass screen: the Xiaomi Mi 5s. Xiaomi is a Chinese electronics manufacturer and the company is not planning to release these phones in the United States.

Another company involved in ultrasonic fingerprint sensors is Invensense, headquartered in San Jose, which announced in 2015 that they are manufacturing a sensor for mobile devices to be released in 2017.

The fingerprint touch sensor product is called the UltraPrint Mass, and it is able to be placed within a device without cutting a hole in display glass.

With the new development of ultrasonic technology for fingerprint sensors comes a new generation of electronic devices.

“There are two advantages [to our product]: one is the sensing over glass or metal, not plastic. Second, the technology can sense the live finger instead of the sensing just the fingerprint,” said Zaryab Hamavand, director of sales at Invensense. “Basically, the extra security is [that] it makes sure it is a live person’s finger, and not a copy of a print.”

Written by: Shivani Kamal — science@theaggie.org