What more do we have to do to keep our smartphones locked to prying eyes — and fingers?
Practicing basic phone security is already too much to ask for far too many people — and now, a study suggests that one of the most basic tools for safeguarding your device might not be as secure as you might think.
Researchers from New York University and Michigan State University exposed vulnerabilities with common fingerprint scanners, claiming they were able to create a set of “master prints” — fingerprints that have the ability to match multiple patterns — that bypassed the system up to 65 percent of the time. The team published their findings in this month’s edition of IEEE Transactions on Information Forensics & Security.
The master prints were made to take advantage of the miniature size of most smartphone print scanners. Since they’re so small, the systems are commonly designed to match partial scans, rather than each and every individual ridge of your finger.
“There’s a much greater chance of falsely matching a partial print than a full one, and most devices rely only on partials for identification,” one of the study’s authors, Nasir Memon of NYU, told The Telegraph.
Many of these security systems also allow users to store prints from more than one finger, too, which make it even more likely that the master prints find a match.
The study does have some caveats. The researchers put their method to the test on two datasets of prints in a computer simulation rather than actually creating the master prints and testing them on real smartphones.
Apple, for its part, claims that that the probability of a portion of two separate fingerprints matching in the Touch ID system is 1 in 50,000 for one enrolled finger.
Should you really be worried?
There are several practical hurdles that need to be cleared for this type of scan to be a threat IRL. A thief would have to create their own set of master prints and some way of applying them that mimics a real human finger. Then, they’d need to get physical access to your phone to even have a chance of unlocking it.
Fingerprint scanners aren’t the only phone security systems that have been probed and found wanting. A similar study published earlier this year reported Android’s Pattern Lock system can be cracked, too — but the process behind the break-in involves recording the phone’s owner unlocking the phone to be analyzed by high-level computer vision algorithm software, so it’s not very likely to be applied widely, either.
The new Samsung Galaxy S8’s facial-unlock tool has issues as well: a video looked to show the phone unlocked after being shown a photo of the owner. The S8 isn’t even on the market yet — it’s slated for release on April 21 — so there’s no way to confirm that vulnerability just yet. Even if it’s true, the device has an iris scanner to go along with fingerprint and passcode protections, so you can still lock it down.
If you’re really concerned about your phone’s first lines of defense, make sure you enable all the protections available. Fingerprint scanners are a good start, but you should always set a passcode lock with a less predictable PIN than “1234” or “0000,” too. If your phone gets stolen, you’ll still be on the outs — but if they can’t crack your code, your info will at least be safe.