An interesting new attack on biometric security has been discovered by a team of researchers from China and the US. It is called PrintListener: Exposing fingerprint authentication vulnerability through fingerprint friction sound [PDF]
(PrintListener: Uncovering the Vulnerability of Fingerprint Authentication via the Finger Friction Sound)
Their study proposes a side-channel attack on the sophisticated automatic fingerprint identification system (AFIS). The attack leverages the audio characteristics of a user's finger swiping on a touch screen to extract fingerprint pattern features. After testing, the researchers claim they can successfully attack “up to 27,9% of partial fingerprints and 9,3% of full fingerprints within five attempts at the highest FAR [False Acceptance Rate] setting of 0,01%.” . This is claimed to be the first project to use swipe sounds to infer information from fingerprints.
Without having normal (contact) prints or detailed fingerprint photos, how can one hope to get the data needed to improve the results of MasterPrint and DeepMasterPrint dictionary attacks on user fingerprints?
One answer is this: the PrintListener study reports that “finger rubbing sounds can be recorded by attackers on the internet.” The source of finger swipe sounds can be found in popular apps like Discord, Skype, WeChat, FaceTime, etc. Any conversational app where users carelessly perform screen swipes while the device's microphone is on. Hence the PrintListener attack name.
To prove their theory, the scientists performed PrintListener attacks. Briefly, PrintListener uses a series of algorithms to pre-process the raw audio signals, which are then used to generate targeted synths for PatternMasterPrint (MasterPrint is generated from pattern-specific fingerprints).