web指纹扫描器

web指纹扫描器

web指纹扫描器

by Nikhil Dwivedi

由Nikhil Dwivedi

欺骗手机的指纹扫描器很容易。 这是我们应解决的方法。 (It’s easy to trick your phone’s fingerprint scanner. Here’s how we should fix it.)

Early last week, I was setting up fingerprint sensors on my new iPhone. That’s when my brother, @Prateek , came up with an idea to test these mobile fingerprint sensors.

上周初，我在新iPhone上设置了指纹传感器。 那时我的兄弟@Prateek提出了测试这些移动指纹传感器的想法。

The test was to scan his finger along with mine at the time of fingerprint setup. You know how these devices ask you to lift and then rest your finger multiple times to capture all possible angles. So we did it — got his finger scanned a few times when the phone was expecting me to lift and rest only my finger.

测试是在设置指纹时扫描他的手指和我的手指。 您知道这些设备如何要求您抬起然后放下手指多次以捕获所有可能的角度。 因此我们做到了–当电话希望我抬起并只休息我的手指时，让他的手指扫描了几次。

To my astonishment, we were successful in bluffing the phone. Setup was complete, and now both of us could use our finger to unlock the phone. This is how the settings looked — just one finger configured, and both of us could unlock the phone.

令我惊讶的是，我们成功诈了电话。 设置已完成，现在我们两个人都可以用手指来解锁手机。 这就是设置的样子-仅配置一根手指，我们俩都可以解锁手机。

The thought crept into our brains: is this some sort of a bug, or what? For now, this was the time for a fun exercise — to try it out with all other phones that support fingerprint sensing.

这个想法潜入我们的大脑：这是某种错误，还是什么？ 目前，这是一次有趣的练习的时间-在支持指纹感应的所有其他手机上进行尝试。

So we began with various Android phones, a few with stock ROM and others with custom operating systems from a third party like Micromax, Lenovo, and Xiaomi. The result was same for all. We could each use our finger to unlock the same phone while only one finger was set up.

因此，我们从各种Android手机开始，其中一些带有库存ROM，其他带有来自Micromax，Lenovo和Xiaomi的第三方定制操作系统。 所有人的结果都是相同的。 我们只需要一根手指就可以用手指解锁同一部手机。

首先，让我们了解一下这些移动指纹扫描仪的工作原理 (First, let’s understand how these mobile fingerprint scanners work)

Sticking to the point, there are two popular and core technologies behind fingerprint scanning in mobile phones.

确切地说，手机指纹扫描背后有两种流行的核心技术。

Optical Scanner — this technique uses an optical image to capture various images of your finger. A kind of high precision camera and few LEDs do the job here. The software then compares these two-dimensional images with the image taken from the scanned finger.

光学扫描仪 -此技术使用光学图像捕获手指的各种图像。 一种高精度照相机和少量LED可以在这里完成工作。 然后，该软件会将这些二维图像与从扫描的手指获取的图像进行比较。

Since this is essentially just an image that is compared, these scanners are easy to deceive. An image of a finger printed using a high DPI printer is enough to fool these types of scanners.

由于这实际上只是一个比较的图像，因此这些扫描仪很容易被欺骗。 使用高DPI打印机打印的手指图像足以欺骗这些类型的扫描仪。

Capacitor scanner — here an array of capacitors capture the pattern from the scanned image. A complex electric circuit beneath captures the data and that is used to compare the scanned finger.

电容器扫描仪 -此处的电容器阵列可捕获扫描图像中的图案。 下面的复杂电路捕获数据，并用于比较扫描的手指。

This technique is far more secure and is difficult to deceive. A high definition image of a finger cannot be used to unlock the phone. The Samsung Galaxy S8 phone claims it uses this technique.

该技术更加安全，难以欺骗。 手指的高清图像无法用于解锁手机。 三星Galaxy S8手机声称使用了这种技术。

现在是辩论的时候了：对吗？ (Now time for the debate: is it right or not?)

At first, when you see this happening, you can tell something unusual is going on. To keep your fingerprint scanner secure, the following components are important:

首先，当您看到这种情况时，您可以判断出正在发生异常情况。 为了确保指纹扫描仪的安全，以下组件很重要：

• Scanning Technique— hardware used to scan the finger and extract data/patterns from it.

  扫描技术 -用于扫描手指并从中提取数据/图案的硬件。

• Storage — Database where the data/pattern of the fingerprint is stored.

  存储 -存储指纹数据/图案的数据库。

• Algorithm — that is used to store and compare the scanned pattern.

  算法 -用于存储和比较扫描的图案。

For overall security, recording fingerprint is as important as referring database for verification. There seems a flaw and inefficiency in the way fingerprints are stored.

为了整体安全，记录指纹与引用数据库进行验证一样重要。 指纹的存储方式似乎存在缺陷和效率低下。

Looking at the case above, it appears that various fingerprint impressions gathered at the time of setup are stored as an independent set of data. When you scan a finger to unlock the device, the scan is compared against an array of the binary representation of fingers that were scanned at the time of setup. Possibly, this is how we were able to trick the phone by scanning another person’s finger at the time of setup.

从上述情况来看，似乎在设置时收集的各种指纹印记作为独立的数据集存储。 扫描手指以解锁设备时，会将扫描与设置时扫描的手指的二进制表示形式的数组进行比较。 在可能的情况下，这就是我们在设置时通过扫描他人的手指来欺骗电话的方式。

There appears to be a conceptual and fundamental problem in how the system currently works.

系统当前的工作方式似乎存在一个概念性和根本性的问题。

I can not claim any use case where this could lead to a security-gap. But since the adaption of fingerprint-based authentication is increasing rapidly, and its usage has gone beyond just unlocking your device, it makes sense to improve the technology to bridge the gap.

我无法声明任何可能导致安全漏洞的用例。 但是，由于基于指纹的身份验证的适应性Swift增加，并且其用途已不仅仅限于解锁设备，因此有必要改进技术以弥合差距。

那么，接下来呢？ (So, what next?)

At the time of setup, successive scans of the finger could be compared with each other to ensure that all the recorded scans were of the same finger. It is obvious to have some percentage of overlap between various scans. Such a thing would have stopped Prateek Dwivedi from scanning his finger when I was trying to setup the phone. This would have secured the way fingerprints are captured at the time of setup.

在设置时，可以将手指的连续扫描进行相互比较，以确保所有记录的扫描都是同一根手指。 显然，各种扫描之间存在一定百分比的重叠。 当我尝试设置手机时，这样的事情会阻止Prateek Dwivedi扫描他的手指。 这样可以确保在设置时捕获指纹的方式。

Retrieval could be made more secure by not comparing the scan to unlock the device with just one of the pre-stored scans. Ideally, the scan will compare to a high degree with one of the stored representations, and it will also compare to all other scans to some degree. Instead of relying on just one optimal match, we should score the match based on a comparison from all the representations. Accumulative percentage of comparison should be considered to authenticate.

通过不将扫描解锁设备与仅预存的扫描之一进行比较，可以使检索更加安全。 理想情况下，扫描将与所存储的表示之一进行高度比较，并且还将与某种程度的所有其他扫描进行比较。 我们不仅要依靠一个最佳匹配，还应该根据所有表示形式的比较为匹配评分。 应该考虑比较的累积百分比进行身份验证。

结论 (Conclusion)

To conclude, as I pointed out in my previous blog — “Bio-metric Identification & usage in Banking Mobile Applications:”

最后，正如我在之前的博客中指出的那样：“ 银行移动应用程序中的生物识别和使用 ：”

The bio-metric authentication is not yet secure enough. Recently, we have seen an inclination and shift towards using these techniques for payments and financial transactions as well. The rise of mobile phones and IoT devices has added to the adaption of bio-metric authentication techniques. It is time to think more about making bio-metric authentication technology more secure and difficult to compromise.

生物特征认证还不够安全。 最近，我们看到了一种倾向，也转向使用这些技术进行支付和金融交易。 移动电话和物联网设备的兴起增加了对生物识别技术的适应性。 现在是时候更多地考虑使生物特征认证技术更安全并且更难以妥协了。

Follow me on medium — Nikhil Dwivedi.

在媒体上关注我-Nikhil Dwivedi 。

My twitter handle is — @Niks_Dwivedi

我的推特句柄是— @Niks_Dwivedi

翻译自: /

web指纹扫描器