A small touch sensor employed in smartphones can only capture a partial limited portion of the full .ngerprint, and so it is more vulnerable to fingerprint spoofing attacks that leverage a user's firm impression. However, it is still unknown whether daily smudges remaining on the smartphone surface can be exploited to circumvent the small touch sensor. In this paper, we first study how to exploit the .ngerprint smudges le. on the smartphone surface in daily use, and present the so-called .ngerprint SCRAP attack, which uses smudges remaining on the home bu.on and touch screen to reconstruct an image of the enrolled .ngerprint in good quality.We conduct an experimental study to show the actual risk regarding this attack. We collect 403 latent fingerprints from the smudges le. on the touch screens (361) and home bu.ons (42) by seven users in six conditions (tapping, passcode-Typing, text-Typing, facebook, in-pocket, wiping). Using them, we perform our attack and evaluate the results in comparison with the firmly impressed fingerprints. .e study results indicate that our attack is actual risk to the small touch sensors. We then investigate the user's touch behavior and perception gap. We conduct in-person surveys involving 82 participants, and ask about their touch behaviors and also their risk perception regarding the latent fingerprints. The survey results show that the fingers most frequently used on a touch screen and a home buffon are the same, and the user's risk perception is very low. We finally discuss mitigation methods and future directions.
|Title of host publication||Proceedings - 33rd Annual Computer Security Applications Conference, ACSAC 2017|
|Publisher||Association for Computing Machinery|
|Number of pages||16|
|Publication status||Published - 2017 Dec 4|
|Event||33rd Annual Computer Security Applications Conference, ACSAC 2017 - Orlando, United States|
Duration: 2017 Dec 4 → 2017 Dec 8
|Name||ACM International Conference Proceeding Series|
|Other||33rd Annual Computer Security Applications Conference, ACSAC 2017|
|Period||17/12/4 → 17/12/8|
Bibliographical notePublisher Copyright:
© 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM.
All Science Journal Classification (ASJC) codes
- Human-Computer Interaction
- Computer Vision and Pattern Recognition
- Computer Networks and Communications