Fingers and eyes at MWC 2017

Protected fingerprint and iris sensors in smartphones, and other interesting security trends from MWC 2017.

We’ve written about insecure fingerprint sensors and other biometric technologies a lot. We were not alone, of course.

It looks like the fuss did some good. At Mobile World Congress (MWC) 2017 in Barcelona, many smart-sensor developers presented devices that are more secure than we might have expected.

Fingerprint sensor evolution

IDEX, a Norwegian company that ships fingerprint sensors for LG and other companies, claims that the majority of its partner smartphone developers enable access to fingerprint sensors’ data only within a secure environment.

I talked to several fingerprint sensor makers at MWC, and all of them use a fully protected scheme for handling such data. In the beginning, “raw” data from a fingerprint sensor is encrypted, then the system detects distinctive ridges, encrypts them as well, and sends to secure storage. All of these operations take place in a trusted execution environment — an isolated space that cannot be accessed by any outer process.

Yet, several sensor makers still let gadget companies decide if they want to use the protection mechanism. Regardless, data is always securely encrypted on the way from sensor to processor, and that’s good: Previously, the main vulnerability of fingerprint reading technologies was right here.

A sensor maker called CrucialTec decided to make bio-metrics even more … well, bio-metric, adding heart-rate sensors to fingerprint scanners. It’s a protective measure: 3D-printed finger copies, plaster fingers, and even real fingers cut off of their owners will not work. The same holds true for simple copies of finger ridges created with a common printer.

This system checks ridges to confirm that they are similar but doesn’t unlock the smartphone until it detects a proper heartbeat. This is a serious step ahead in fingerprint authentication security. Resourceful criminals will no doubt find a way to trick this protection as well — for example, with a copy of a finger’s ridges pressed to the scanner using the real, live finger of a different person — but it will be much harder.

One Chinese company presented an unusual implementation: a fingerprint scanner built directly into the glass of a smartphone display. There were a few limitations: first, the only sample remained in China, and so the company could not show it. In addition they are not completely sure how users will understand which part of the display they should tap to get in — the sensor is not clearly visible! Last year IDEX presented a similar idea, but it seems that it didn’t go further than a concept.

By the way, developers say fingerprint sensors are not limited to gadgets; they can be built into door locks or car keys. Several companies offer flexible and very thin sensors that can be used as a part of banking card.

The technology is implemented in various ways: For example, IDEX offers a scheme that does not require an additional supply of electricity, whereas CrucialTec builds a battery and a simple display into the card to show if the user is successfully authorized or not. The fingerprint sensor can be a good alternative to PIN codes: easier to use and harder to fake — it’s very easy to spy a PIN when a person enters it.

A little more biometry

Two years ago, Qualcomm presented SenseID — more secure and quick ultrasonic fingerprints scanners. This time, the company offered another authentication method that scans your iris. Every person has unique irises, so this authentication method is quite reliable.

Qualcomm’s system is new, so it’s built only into prototypes for now, but it works surprisingly well: quickly and without mistakes. In case you’re wondering why this technology is so late in coming to the smartphone market, the reason is simple: Earlier cameras were too slow, and imaging processors were less powerful.

By the way, Qualcomm’s iris recognition system can distinguish a fake copy of an iris from a real eye. There was a surprisingly realistic 3D-printed face at the Qualcomm booth, and the software did not mistake it for a real one. As far as I understand, the system takes into account that eyes move a little all the time.

It’s noteworthy that the system can recognize irises even through big, black sunglasses. Unfortunately, Qualcomm refuses to explain how it achieved this result. All in all, iris recognition is much more secure than, for example, face recognition.

However, it suffers from the same problem as the rest of biometric technologies do: Once criminals find a way to steal and use biometric data (and they will surely try, if biometric ATMs become widespread), users will be stuck, not being able to change their faces, irises, or fingerprints. PINs and passwords can be changed in seconds.

<h3>Several other interesting concepts from MWC 2017</h3>

We saw quite a lot of interesting innovations related to information security in Barcelona this year. For example, Qualcomm presented on-device machine-learning technology. This means that Snapdragon mobile processors have become so powerful that they can train neural nets. Qualcomm showed first steps in this direction last year, when it presented a solution that tried to recognize objects in pictures. Now this technology has developed into a universal engine that is compatible with many popular frameworks and given to developers.

This is a step ahead: On-device machine learning can free users from having to send data to the cloud. And that brings privacy concepts to fields where privacy had become unimaginable, because usually machine learning requires cloud technologies — i.e., giving up our data. It’s currently just an engine, not a consumer-ready solution.

Well, one technology already uses it — a technology developed by (you guessed it) Qualcomm. It’s called App Protect, and it enables implementation of heuristic algorithms for the detection of malicious applications at the hardware–software level. Qualcomm considers an app malicious if it tries to do anything secretly — gathers users’ location and contacts information, sends or intercepts SMSs, that sort of thing. App Protect helps to detect such apps and prohibit access to sensitive data. The technology is not a ready-to-use solution; it must be integrated into a security app. All in all, our Kaspersky Antivirus and Security for Android does it efficiently at the software level.

MWC 2017 more focused on security than in previous years. Today, you see the word “secure” at almost every booth. Even if things aren’t really secure, the optics show that developers are starting to care more about protection.

As for bio-metric authentication alone, this technology may overcome the many downsides it has now. It will never become fully secure — there’s no such thing. But the steps we see are moving in the right direction, which gladdens us a lot.