Using smartphone photos for hardware authentication
- By Matt Leonard
- Dec 19, 2017
There could be another hardware authentication option for smartphones that could defeat three of the most common tactics used by cybercriminals: fingerprint forgery attacks, man-in-the-middle attacks and replay attacks.
According to researchers at the University at Buffalo, as a result of the manufacturing process, every smartphone camera has unique digital fingerprints that it leaves behind on photos. Using that photo-response non-uniformity (PRNU) information in the images, the researchers can identify smartphones by examining just one photo taken by the device.
PRNU itself is nothing new, but in the past 50 photos were needed to identify the digital camera that took the picture. But because of the smaller sensors on today's smartphone cameras, the non-uniformity is amplified, generating a much stronger PRNU so that only one photo is needed for a match. The researchers found the processes to be 99.5 percent accurate in tests involving 16,000 images, 30 different iPhone 6s smartphones and 10 different Galaxy Note 5s smartphones.
"Like snowflakes, no two smartphones are the same,” Kui Ren, the study's lead author said in a statement. “Each device, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture they take. It's kind of like matching bullets to a gun, only we're matching photos to a smartphone camera."
To use the technique for authentication, users would have to register their phones and provide a photo to an organization they want to securely access -- like a bank. Then, to authenticate their device at a later date, users would open an app and take a picture of a QR code displayed on an ATM screen or other device.
The customer would then send the photograph back to the retailer, which scans it to measure the smartphone's PRNU and compare it with the PRNU component of the original, benchmarked photograph.
The technology is not yet available to the public, yet, but it is being presented at the 2018 Network and Distributed Systems Security Conference.
Matt Leonard is a former reporter for GCN.