I've noticed a lot of phones (not to mention, other devices) have built in fingerprint sensors these days.
Do these devices store information in such a way that your fingerprint could be reconstructed by someone with access to it?
Asked
Active
Viewed 242 times
1
-
Are you asking to restore the original fingerprint of the user or some artificial fingerprint which is sufficient to fool the sensor? – Steffen Ullrich Jan 06 '21 at 22:49
-
it would be a digital version of an analog (quantifiable vs. infinite).... so at a certain resolution. – pcalkins Jan 06 '21 at 22:57
-
Essentially, if someone could fake your fingerprint in the general case (imagine: 3D printed model.) – user1833028 Jan 06 '21 at 23:10
-
1You can actually just get the fingerprint right off the phone case itself. I know because I saw it in a movie – Conor Mancone Jan 07 '21 at 09:56
2 Answers
3
Devices that support biometric authentication are equipped with Trusted Execution Environment (TEE) that stores fingerprint data in its own isolated tamper-resistant storage. The biometric sensor communicates with sensor driver which lives inside TEE. When a user wants to enroll fingerprint, fingerprint data from the sensor goes directly to the sensor driver where it is stored by TEE.
At the time of biometric authentication, TEE only answers whether the fingerprint was correct or incorrect. Raw fingerprint data is never accessible from outside the sensor driver. Hardware access is limited to the TEE and protected by an SELinux policy. The Serial Peripheral Interface (SPI) channel is accessible only to the TEE.
TEE does not hash fingerprint data because every time you put your finger differently on the sensor. The mathematical values can be used to reconstruct your fingerprint if algorithm is known.TEE encrypts fingerprint data with a symmetric key. It also signs biometric metadata that is outside of TEE and is used by TEE in validating fingerprint. So if you try to swap TEE chip with your own device's TEE, signature check will fail along with user authentication.
Even if you obtain root access on the device, fingerprints that are already stored in TEE can never be extracted. Patching sensor driver to leak fingerprint data will fail signature check of TEE image on boot and the device will brick. TEE image is still verified even if the bootloader is in unlocked and unlocked_crirical state. Emulating TEE on rooted device is still not enough to hijack sensor communication as SPI channel is bound to the real TEE.
Theoretically, you can compromise SPI channel with hardware debuggers on unrooted device to leak future accesses to the sensor but this attack is not scalable. In order to test sensor driver, some OEMs intentionally leak sensor data to testing application in prototype devices. It seems Mi forgot to disable the access for some of its production devices which is a security hole because any application can access sensor data on those devices. How this is not already violating SELinux policy is unclear.
The easiest way to reconstruct fingerprint is to copy prints from the surface. Fingerprint protection is as secure as physical protection.
defalt
- 6,231
- 2
- 22
- 37
-
Is the just iOS devices? I imagine not all devices using biometrics use this set up. – TrickyDupes Jan 07 '21 at 09:02
-
-
Many laptops with built-in fingerprint readers as well. It gets more complicated with external USB devices. – Jörg W Mittag Jan 07 '21 at 10:02
1
The best analogy for this is that most biometric templates stored on devices are like hashes of a password. You don't ever persist the password itself and instead persist the hash of it. You never store the raw fingerprint data itself and instead store the template, which is a derived value of the raw data.
However, like hashes there are varying degrees of hardness to reverse. With relatively little effort I can reverse md5(yourpassword), but it is practically impossible to reverse pbkdf2(yourpassword) (contrived example, there's more to it than that).
There isn't a lot of research on this for fingerprint/biometric data like there is for cryptographic hashes and a lot of these algorithms in devices are still proprietary so its difficult to offer a more specific answer.
The question though is supposing you were able to reconstruct the fingerprint, what would your intentions be with it? Many of these sensors have methods of detecting replays through liveness detection (and other mechanisms) so constructing a fake print would be incredibly difficult. Using it for non-repudiation is a bit redundant since you only need the template for that anyway.
Steve
- 15,155
- 3
- 37
- 66
-
Technically you can _never_ reverse md5(x) or pbkdf2(x), only brute force them. – gowenfawr Jan 06 '21 at 23:19
-
Cryptographically yes of course, I was speaking to intent. How you get there is less important to whether you can get there. – Steve Jan 06 '21 at 23:52
-
are you sure hashes are used? These are measurements which do not exactly match each time. How would they compare to a "like" state if they were hashed? – pcalkins Jan 07 '21 at 18:28
-
I didn't say hashes were used. I said the algorithms behave like hashes. – Steve Jan 07 '21 at 18:39