In the wake of the WannaCry ransomware computer virus attack, here’s one more thing to worry about. The fingerprint identification systems that some modern laptops use to recognize users can be easily compromised with a spoofing process.
Synaptics, the maker of fingerprint identification sensors and touchpad technology, issued the warning earlier this month that some computer makers, seeking to save about 25 cents per machine, have chosen to use insecure smartphone fingerprint sensors instead of more secure laptop sensors, said Godfrey Cheng, vice president of product for Santa Clara, Calif.-based Synaptics, in an interview with VentureBeat.
“Fingerprint identification has taken off because it is secure and convenient when it’s done right,” he said. “When it’s not secure all of the way through, then that’s an exposure that an attacker can exploit.”
The smartphone fingerprint sensors typically use unencrypted methods to store and send the fingerprint to a central processing unit (CPU) for processing. That makes the data vulnerable to snooping software and other hacks. Synaptics sensors, by contrast, use encryption and a secondary host processor to do the recognition work.
That encryption makes it a lot harder for hackers to copy the fingerprint and use it to unlock a computer remotely, Cheng said. Synaptics will demo the fingerprint insecurity at the Computex trade show in Taiwan this week.
The insecure fingerprint sensors are disturbing because modern laptop users are conditioned to believe that fingerprints are unique and are much safer than passwords. This is true, but a laptop manufacturer’s choice in buying sensors can potentially lead to the theft of your fingerprint image. That makes a user’s laptop secrets vulnerable, as well as an entire enterprise if it’s a work computer.
“There are two types of fingerprint sensors in the notebook market today,” Cheng said. “Those that are encrypted and safe, and those that are unencrypted and unsafe.”
Cheng showed that thieves can use typical phising methods to take control of your computer and plant a software program to sniff out your fingerprint when you use the laptop’s fingerprint scanner. Once they have the image, they can use a spoof to gain access. He showed this working on a machine I was using, as you can see in the video.
“Some computer makers will compromise their brand and customers for 25 cents,” said Cheng. “That’s wrong. They claim they have encryption, but not on link of the sensor to the host.”
They can also print a QR code from a $200 inkjet printer that contains your fingerprint data. If a thief takes the print out and presses it down against a fingerprint sensor, the fingerprint scanner will recognize the paper as a legitimate fingerprint and unlock the computer. Cheng and his colleagues showed such a spoof working for me in a demo.
Whatever level of access the user has to the enterprise is now exposed for the hacker. They can get access to a company’s data and all of its corporate network access services. And if you use your fingerprint to verify passwords for various e-commerce accounts. those networks become vulnerable as well.
This attack method can be expanded to power control circuitry allowing a thief to power on the system at will remotely and turn it off without anyone noticing.
To prevent this from happening, you should check to see if your laptop uses encrypted fingerprint sensors, such as those made by Synaptics. Synaptics has introduced a suite of security features dubbed SentryPoint, where it fully encrypts the paths between the fingerprint sensor and the computer host or a secondary processor.
“Encryption is only as strong as its weakest link,” Cheng said.
Some laptop manufacturers chose to use smartphone fingerprint sensors for cost reasons. But laptops are more vulnerable than phones, since we keep smartphones on our bodies, like in our pants pockets or purses, most of the time. Notebooks are often left on the desk at home, in the car, at the office, and on a public coffee shop table. You can easily get access to the internals of a notebook casing in just a few minutes.
Intel and Microsoft are both working hard to protect data once it is inside the host environment. Flash-based storage, known as SSDs, are encrypted. Even the BIOS (basic input output software, which starts a computer) is now secured. This leaves any unencrypted sensor as a vulnerability.
Two-factor authentication, where a user has to provide two means of secure identification, would help deal with this vulnerability. If your laptop combined fingerprint and face identification, that would help.
Biometric fingerprint solutions use a publicly vetted algorithm such as AES256. Using a present-day super-computer, it would take 1,056 years to brute force (try all possible combinations) an AES 256-bit key. That’s not impossible to crack, but it’s very inconvenient for the attackers. The whole point is to balance convenience for users with protection.
“Fingerprint identification will have breakages, as no security is perfect,” Cheng said. “We will continue to step up. Security is weighed against convenience. Somewhere in the middle is a happy medium.”