Share this article

Researchers from China and the United States have introduced a groundbreaking attack called PrintListener, targeting the Automatic Fingerprint Identification System (AFIS) through side-channel exploitation of finger friction sounds.

A group of Chinese and American researchers have proposed an intriguing new attack on biometric security. PrintListener: Uncovering the Vulnerability of Fingerprint Authentication by the Finger Friction Sound [PDF] describes a side-channel attack on the advanced Automatic Fingerprint Identification System (AFIS). The hack exploits the auditory characteristics of a user’s finger swipe on a touchscreen to extract fingerprint pattern details. After conducting testing, the researchers claim that they can successfully attack “up to 27.9% of partial fingerprints and 9.3% of complete fingerprints within five attempts at the highest security FAR [False Acceptance Rate] setting of 0.01%.” This is said to be the first effort that uses swiping sounds to infer fingerprint information.

Biometric fingerprint security is widely used and trusted. If things continue as they are, the fingerprint authentication business is expected to be worth about $100 billion by 2032. However, as companies and individuals became more aware that attackers could seek to take their fingerprints, some began to be cautious about keeping their fingerprints out of sight and were sensitive to images displaying their hand characteristics.

Without contact prints or finger detail photographs, how can an attacker obtain fingerprint data to improve MasterPrint and DeepMasterPrint dictionary attack outcomes on user fingerprints? One response is as follows: According to the PrintListener study, “finger-swiping friction sounds can be captured by attackers online with a high possibility.” The finger-swiping sounds could be coming from popular programs such as Discord, Skype, WeChat, FaceTime, and so on. Any chatty app in which users carelessly swipe the screen while the device’s microphone is active. This is why the side-channel attack is known as PrintListener.

The inner workings of PrintListener include some difficult science, but if you’ve read the above, you’ll have a fair notion of what the researchers did to improve their AFIS attacks. However, three significant hurdles were solved to bring PrintListener to where it is today.

Finger friction sounds: A spectral-based friction sound event localization technique was created.
Separating finger pattern affects on sound from a user’s physiological and behavioural characteristics. To address this, the researchers utilized both minimum redundancy, maximum relevance (mRMR) and an adaptive weighting technique.
Developing a heuristic search technique by statistically analyzing the intercorrelations of primary and secondary fingerprint data.

To test the notion, the scientists implemented their attack study as PrintListener. In brief, PrintListener employs a number of techniques to pre-process raw audio signals, which are then utilized to build tailored synthetics for PatternMasterPrint (the MasterPrint produced by fingerprints with a certain pattern).

Importantly, PrintListener underwent rigorous testing “in real-world scenarios,” and, as stated in the introduction, can permit successful partial fingerprint assaults in more than one in four cases and complete fingerprint attacks in nearly one in ten. These results significantly outperform unaided MasterPrint fingerprint dictionary attacks.