The digital cameras in smartphones are built to be identical for each model of phone. However, manufacturing imperfections create tiny variations in each camera’s image sensors. These imperfections could prevent identity theft more safely than Face ID and other biometrics.
Because of the inhomogeneity of silicon wafers and pixel dimensional imperfections, image sensors have nonuniform sensitivity to light, giving every image captured a unique fingerprint, or pattern noise. These fingerprints can cause some of the sensors’ millions of pixels to project colors that are slightly brighter or darker than they should be.
Researchers from the University at Buffalo (UB) have discovered how to use these variations to identify smartphones by examining just one photo taken by the device.
“Like snowflakes, no two smartphones are the same. Each device, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture they take,” said Kui Ren, UB professor and director of the Ubiquitous Security and Privacy Research Laboratory (UbiSeC). “It’s kind of like matching bullets to a gun, only we’re matching photos to a smartphone camera.”
Each smartphone, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture it takes. Courtesy of Douglas Levere, University at Buffalo.
Ren told Photonics Media that the study, “ABC: Enabling Smartphone Authentication with Built-in Camera,” focuses on photoresponse nonuniformity (PRNU), the flaw in digital imaging.
“We explore the authentication modality that authenticates smartphones through tracking the hardware fingerprints of their built-in cameras,” Ren said. “In the future, the verifier will cross-check fingerprints of multiple different sensors to authenticate a user’s device. This will provide enhanced security and help users to protect their online accounts against cyberattacks.”
To prevent forgeries, Ren designed a protocol to detect and stop cyberattacks.
For instance, let’s say a customer registers with a business — such as a bank or retailer — and provides the business with a photo that serves as a reference.
When a customer initiates a transaction, the retailer asks the customer (through an app) to photograph two QR codes — a type of barcode that contains information about the transaction — presented on an ATM, cash register or other screen.
Using the app, the customer then sends the photograph back to the retailer, which scans the picture to measure the smartphone’s PRNU. The retailer can detect a forgery because the PRNU of the attacker’s camera will alter the PRNU component of the photograph.
Ren’s protocol can spot an attempt by a cybercriminal to remove the PRNU from a device because the QR codes include an embedded probe signal that will be weakened by the removal process.
The transaction is either approved or denied based upon these tests.
Initial experiments have proved to be 99.5 percent accurate in tests involving 16,000 images on 30 different iPhone 6s and 10 different Galaxy Note 5s.
Ren plans to lead future experiments on smartphones that include two cameras, potentially helping thwart identity theft one image at a time.