Remember the old days when car thieves somehow got a hold of a make or model's "master key" and they could use that to steal a bunch of cars?
A new development is kind of like that, but scarier.
Researchers have just used Machine Learning to develop a series of "deep" master fingerprints that could defeat your phone's biometric security a frightening percentage of the time.
The team at New York University and Michigan State University describes what they have done at the introduction to their new paper:
MasterPrints are real or synthetic fingerprints that can fortuitously match with a large number of fingerprints thereby undermining the security afforded by fingerprint systems.
In this work, we generate complete image-level MasterPrints known as DeepMasterPrints, whose attack accuracy is found to be much superior
Machine Learning used to make fake fingerprints
The researchers used a Machine Learning method called GAN, which stands for Generative Adversarial Network.
The neural network is made up of two parts. There is a "generator" that accepts input and then creates the fingerprints in an unsupervised fashion. It then shares these fake fingerprints to the second part of this GAN, called the "discriminator," which essentially analyzes the generator's work.
The discriminator then tells the generator which prints seem real and which seem fake, and the generator tries to make them more and more realistic.
Think of it like running through practice lines for a play. At first, it's rough. You are simply reading the lines and your expression is wrong.
However, after your director keeps correcting you and telling you to try again, you eventually nail it. What you are saying is believable to the audience because you have refined everything about your delivery.
In a simple way, this is how the generator and discriminator work off of each other in the GAN.
Fake fingerprints defeat biometrics
The researchers then took the fingerprints which Machine Learning deemed "realistic" and tried them like a master key against the same level of security you would find on a typical iPhone or Android device.
Their findings? Twenty-three percent of the time they were able to use these fake master fingerprints to defeat biometric security on a typical phone, tablet, or laptop.
If fingerprints rarely match, how can biometric security be fooled?
Perhaps you are wondering how this is possible since Apple put the odds of a fingerprint match on the iPhone at something like 1 in 50,000.
Researchers revealed a detail most of us may have overlooked until now: your phone only looks at a few of your fingerprint's characteristics to verify that it is you.
For one thing, the sensor is tiny. Your entire finger does not even fit on it in most cases.
And if it required everything from your scan (when you initially set it up) to log in, you would have to place your finger in the exact same way to be logged on, which would force you to try again and again to get it right.
Whoops, there goes the convenience of logging on with biometrics.
However, researchers point out that choosing this biometric convenience comes at the cost of security. This is true of passwords and now of fingerprints.
"This is the first work that creates a synthetic Masterprint at the image-level thereby further reinforcing the danger of utilizing small-sized sensors with limited resolution in fingerprint applications," the researchers concluded.
The fake master fingerprint research is an interesting read, and also looked at biometric security where you are required to roll your finger across a fingerprint scanner to gain access.
This method was more secure, but in some cases was still fooled by the computer-generated fake fingerprints.
How long will it be until cybercriminals begin using Machine Learning to defeat biometric security?
Perhaps they already are.
[Related: We heard Futurist Steve Brown talk about GANs work underway during his keynotes at SecureWorld this year. And he also demonstrated The Rise of the Robots.]