The sound of swiping reveals your fingerprints, researchers warn


You may want to change a few habits while using your phone. Researchers are ringing the alarm bells for authentication security, as fingerprints can be leaked just by listening to the fingertip-swiping action sounds on the screen.

Researchers from China and the US were able to attack up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts when the false accept rate (FAR) was set at “the highest security setting” of 0.01%.

The proposed side-channel attack, dubbed PrintListener, leverages the sounds made by users’ fingertip friction while they use social media or other apps on their phones.

Fingerprints are already one of the most popular forms of personal identification for phone screen unlocking, approving online payments, access control, and more. Leaked fingerprints may cause a lot of damage, from sensitive information theft to economic losses and even compromise of national security.

“The attack scenario of PrintListener is extensive and covert. It only needs to record users’ fingertip friction sound and can be launched by leveraging a large number of social media platforms,” the paper reads.

This work extends previous research that demonstrated the vulnerability of fingerprint recognition systems to dictionary attacks. Some real and synthetic fingerprints can fortuitously match with many fingerprints. But if you have some information about the users’ fingerprints, it makes the attacks much more successful.

Listening to swiping fingers provides attackers with two advantages, as they can be stealthy, utilize mainstream apps and device microphones, and be pervasive without requiring extensive training on specific individuals.

At first, researchers recorded the friction sounds of nine participants against the screen of a Google Pixel 4, which was covered with a matte screen protector, to reveal that each data point of the friction sound formed a cluster corresponding to a unique fingerprint pattern. For the evaluation of their attack, researchers later recruited 65 participants aged 18 to 30.

possible-attack-fingerprints

The challenge was to extract important information from finger frictions that range from 0.2 to 0.8 seconds and have extremely weak intensity. The original audio recording contains a significant amount of redundant information, and sound characteristics are influenced by users’ physiological and behavioral features.

“When the finger swipes on a screen, the weak coupling between the finger pad and the screen will generate a roughness noise. The production of roughness noise involves three essential factors: friction (the elastic deformation between the fingertips and the smartphone screen amplifies the vibrations), dynamics (the vibrations and waves propagate between the finger and the screen), and acoustics (audible roughness sound radiates from the finger to the surface of the phone and propagates through the air and solid medium to the phone’s microphone,” researchers explained.

They designed “a friction sound event localization algorithm based on spectral analysis.”

“By moving time windows and examining the energy spectral density of audio in different frequency bands, we detect the starting and ending points of friction sound events,” the paper reads.

A series of algorithms pre-process audio signals, eliminating the interference and noise and providing a better prediction for dictionary attacks.

How would you defend against such an attack?

Researchers also shared some ideas on how users could protect their fingertips from someone listening.

“A simple countermeasure to prevent the leakage of finger friction sound containing fingerprint features is to correct some users’ habits. For example, users try not to swipe their fingers on the phone screen when making audio and video calls on social media platforms. However, it is difficult to avoid not performing the swiping operation in some scenarios, e.g., engaging in online gaming on mobile phones or tablets through social applications,” the paper reads.

They also suggest that audio/video social and communication apps could be limited to lower audio samples, as that would decrease the accuracy of the models.

“Additionally, audio/video social apps can destroy finger frictional sound features with automatic speech noise reduction or implement pop-up reminders to caution users to be careful when performing swiping operations while the microphone is in use,” the paper notes.

Different screen protectors on mobile devices also affect the finger-sliding friction sound. A glossy surface was found to be a better choice, producing a weaker sound. However, with longer use, all screen surfaces will become rough.