With the Dark Android Project, I get asked all the time what Android devices do I recommend people buy. Keep in mind, the purpose of the Dark Android Project is to create DAPS-compatible devices. That means devices that allow for and respect anonymity, privacy, and security. So the devices I recommend keep those things in mind.
One of the first things I recommend against in a device is built-in biometric security features…a la fingerprint readers. And I grant you, it’s harder and harder to find new phones and even tablets that don’t have fingerprint readers built-in, but fortunately at the moment you can at least turn the reader off, and use a PIN or password to unlock your mobile device and other various aspects of it. And I recommend doing so because–as has been proven over and over again–biometrics are pure shit as far as security. And now, there’s a new, relatively inexpensive way to break into any device locked by a fingerprint reader…
Researchers at Michigan State University have found a cheaper and faster way to unlock mobile phones protected by fingerprint sensors using an off-the-shelf printer and special photo paper. The process can be done in well under 15 minutes, significantly faster than current fingerprint spoofs—which rely on 3D printing—that take more than twice as long.
The method uses a normal inkjet printer and conductive silver ink and a type of photo paper, both from a Japanese manufacturer called AgIC. The researchers used a Brother printer that costs about $400 new on Amazon. The method is detailed in a technical report (pdf) published Feb. 20, 2016.
The process starts with a scanned photo of the target user’s fingerprint. This image is scanned, then some fiddling with contrast levels may be required. The image is then mirrored and printed on a glossy paper that resembles photo stock, using a conductive ink that contains silver. A set of ink and paper costs about $350 from the manufacturer, AgIC.
You could literally print out a “hack” into a mobile device, including for the so-vaunted iPhone, and Scamsung’s (spelled correctly) phones–Scamsung Knox be damned. And it’s important to note that, as of this writing, no mobile device manufacturer has done anything to answer this genuine security flaw in biometric security.
But is this a practical “hack” that people would use to get into smartphones? Granted, while all of the equipment necessary to pull off this fingerprint reader spoofing is readily available to everyone, and it doesn’t cost much, there are challenges. That means the average person probably isn’t going to do this. They’d need to get a clean “copy” of your fingerprint, for one, and that can be a huge challenge in itself. So while this spoofing isn’t academic, it isn’t exactly practical, either. So the likelyhood of this getting used on you is minimal, but then so are many other things that you probably take far more seriously than chances would suggest.
SIDE NOTE: One of my other concerns over the use of fingerprint readers at all is that when you use them, your fingerprint is getting put into a centralized database that potentially a bad actor (malicious cracker, the NSA, GCHQ, etc.) can use against you, such as in the case of printing out your fingerprint to break into your phone. These centralized databases used to only be used for the collection of soldiers, police, and criminals (but I repeat myself) fingerprints. But now people hand over (no pun intended) their fingerprints willy nilly. It’s mindboggling to me. If I wasn’t already–unfortunately–a veteran, I would never have handed over my fingerprints.
And with this being possible, and having been known of since February of 2016, it’s interesting that the FBI hasn’t used this method in the now famous “Apple vs. The FBI” case to break into the San Bernardino shooter’s iPhone, instead of spending all this time hassling Apple (really, it just proves that the case is all about setting a legal precedent for the FBI, it’s not about their supposed inability to get into phones).
I really appreciate that people find it easy to use a fingerprint reader as a way to login and “secure” their mobile devices. I get it. But actual security never comes with ease. It can’t. The trade-off will always exist between convenience and security/privacy. So I leave it to you which you choose. Just keep in mind that a fingerprint reader–and biometrics in general–isn’t really adding more security, it’s just adding a locking option. And that means it’s just adding another not-so-theoretical gateway in to your device.