Gebhard pointed us to an article at Heise, which reports that researchers are working towards a “universal fingerprint” – a master pattern (or small number of master patterns) that ring enough bells to unlock any of today’s fingerprint readers. They are currently have an approach that takes partial impressions and combines them until it “matches enough” to unlock a phone (or otherwise match a biometric reader) – essentially a dictionary attack against your fingerprint. They are currently at a 65% success rate, but of course that can only get better.
Their advice? Get better readers (that can read depth of fingerprint patterns, add in heartbeat sensors etc), or combine multiple authentication mechanisms if your plan needs to account for attacks of this type. I’d say nation-state attacks, but this sounds like it’s something anyone who’s reasonably funded and motivated could take on, especially after the research is formally published.
Add this to the well-known fact that once compromised, you cannot revoke your fingerprints, or change them either. If a successful and simple fingerprint attack is possible, either we need to look at better fingerprint readers going forward, or this takes fingerprint authentication off the table entirely.
Source: SANS Internet Storm Center, InfoCON: green @ May 4, 2017 at 05:03PM