Hackers may have a new way of obtaining your biometric data – by secretly listening in to the sound of your finger swiping on your smartphone.
A team of scientists from China and the United States say they have devised a side-channel attack on minutiae-based automatic fingerprint identification systems (AFISs) which allows them to extract fingerprint patterns from the sound of friction produced by swiping on a touchscreen. Side channel attacks exploit information that is inadvertently leaked by a system.
The researchers have named the new attack PrintListener. They claim that the new attack method could increase the efficiency of MasterPrints, ringing alarm bells for the security of fingerprint authentication.
MasterPrints are synthetic fingerprints designed to be generic enough to match a large number of fingerprints and fool a biometric system. PatternMasterPrints works similarly but it also adds information from the patterns of an individual user swiping a screen, increasing the chance of matching with a real fingerprint.
PrintListener uses algorithms to process the audio signal of the sound of friction of a finger swiping through a screen, which has unique biometric characteristics. This is then used to synthesize PatternMasterPrints.
Attackers could potentially obtain these audio signals with the help of malware while users engage with social apps, such as gaming through Discord or making calls through Apple FaceTime or Skype.
“After eavesdropping on the user’s finger friction sound through a social network, PrintListener generates a specialized PatternMasterprint sequence specifically designed for the user’s fingerprint,” the team writes in their paper.
The team has also performed real-world experiments showing that PrintListener can attack up to 26.5 percent of partial fingerprints and 9.3 percent of complete fingerprints within five attempts at the highest security FAR setting of 0.01 percent. This far exceeds the attack potency of MasterPrint, they note.
The paper was authored by researchers from Huazhong University of Science and Technology in Wuhan, China, Beijing’s Tsinghua University and the University of Colorado Denver. The research will be presented at the Network and Distributed System Security Symposium (NDSS) 2024, taking place from 26 February to 1 March 2024 in San Diego, California.
Article: Scientists recreate fingerprints from the sound of swiping on a touchscreen