Abstract
Currently, many smartphones are adopting fingerprint verification as a method to authenticate their users. Because fingerprint verification is not only used to unlock these smartphones but also used in financial applications such as online payment, it is crucial to secure the fingerprint verification mechanism for reliable services. In this paper, we identify a few vulnerabilities in one of the currently deployed smartphones equipped with fingerprint verification service by analyzing the service application. We demonstrate actual attacks via a proof-of-concept code that exploits these vulnerabilities. By these attacks, an attacker can extract fingerprint features by decoding a file containing them in encrypted form. We also suggest a few possible countermeasures against these attacks.
Keywords
This research was supported in part by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (grant number: 2014R1A1A2058514) and in part by the MSIP, Korea, under the ITRC support program (IITP-2015-H8501-15-1008) supervised by the IITP.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The VEGA series is one of the earliest smartphones with fingerprint recognition service, which is prior to recent popular ones such as iPhone 5s and Galaxy S5 [2]. The vulnerability was found on the device with Android 4.2.2 as of April, 2014. We reported this to the vendor. The vulnerability was independently addressed by the vendor through a patch.
References
Paypal. https://www.paypal-pages.com/samsunggalaxys5/us/index.html
Pantech. http://www.pantech.co.kr/en/board/reportBoardView.do?seq=5870&bbsID=report&ulcd=KO
ISO/IEC International Standard 19794-2. Information Technology—biometric data interchange formats—part 2: finger minutiae data (2011)
ANSI INCITS 378-2009: American National Standard for Information Technology—finger minutiae format for data interchange (2009)
NIST special publication 800-38A, recommendation for block cipher modes of operation (2001)
NIST federal information processing standards publication 197. Advanced Encryption Standard (AES) (2001)
OpenSSL. http://www.openssl.org/
Cappelli, R., Maio, D., Lumini, A., Maltoni, D.: Fingerprint image reconstruction from standard templates. IEEE Trans. Pattern Anal. Mach. Intell. 29(9), 1489–1503 (2007)
Feng, J., Jain, A.K.: Fingerprint reconstruction: from minutiae to phase. IEEE Trans. Pattern Anal. Mach. Intell. 33(2), 209–223 (2011)
Ratha, N.K., Chikkerur, S., Connell, J.H., Bolle, R.M.: Generating cancelable fingerprint templates. IEEE Trans. Pattern Anal. Mach. Intell. 29(4), 561–572 (2007)
Moon, D., Yoo, J.-H., Lee, M.-K.: Improved cancelable fingerprint templates using minutiae-based functional transform. Secur. Commun. Networks 7(10), 1543–1551 (2014)
ARM. http://www.arm.com/products/processors/technologies/trustzone/index.php
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Jo, YH., Jeon, SY., Im, JH., Lee, MK. (2016). Vulnerability Analysis on Smartphone Fingerprint Templates. In: Park, J., Chao, HC., Arabnia, H., Yen, N. (eds) Advanced Multimedia and Ubiquitous Engineering. Lecture Notes in Electrical Engineering, vol 354. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-47895-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-662-47895-0_9
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-47894-3
Online ISBN: 978-3-662-47895-0
eBook Packages: EngineeringEngineering (R0)