Distorting identification

Unique flaws in smartphone camera sensors could provide new opportunities to make secure connections or identify users. Smartphone security typically involves user identification through fingerprints, face recognition or other biometrics, but US researchers believe they have found a way to use the phone itself as a type of security by examining an image taken by the device. “Like snowflakes, no two smartphones are the same,” explained Dr Kui Ren, a professor at the University of Buffalo’s Department of Computer Science and Engineering who is leading the research. “Each device, regardless of the manufacturer or make, can be identified through a pattern of microscopic imaging flaws that are present in every picture they take. It’s like matching bullets to a gun, only we’re matching photos to a smartphone camera.” The system could also help identify smartphone and tablet thieves who take pictures with stolen devices and then upload them onto social media sites. In the event of someone having their identity stolen, the system could also help prevent cyber criminals from using that information to make purchases in their name. The study – ABC: Enabling Smartphone Authentication with Built-in Camera – focuses on an obscure flaw in digital imaging called photo-response non-uniformity (PRNU). Digital cameras are built to be identical. However, manufacturing imperfections create tiny variations in each camera’s sensors. These variations can cause some of the sensors’ millions of pixels to project colours that are slightly brighter or darker than they should be. Invisible to the naked eye, this lack of uniformity creates a systemic distortion in the image called pattern noise. Extracted by special filters, the pattern is unique for each camera. First observed in conventional digital cameras, PRNU analysis is now commonly used in digital forensic science to link images of child abuse to cameras owned by a paedophile. It has also been employed to help settle copyright lawsuits involving photographs. However, despite the ubiquity of smartphones, the technique had not been applied to cyber security because extracting the information required analysing a minimum of 50 images, making it impractical for use as a way of checking someone’s identification at, for example, a supermarket checkout. And research has shown that most cyber criminals can ‘fake’ the pattern by analysing multiple images posted by victims on unsecured social media websites and gathering the necessary information about the flaws in the image sensor of the original camera. Compared with a conventional digital camera, the image sensor of a smartphone is much smaller and this actually amplifies the pixels’ dimensional non-uniformity, generating a much stronger PRNU. As a result, it is possible to match an image to a smartphone camera using just one picture instead of the 50 normally needed for digital forensics. “I think most people assumed you would need 50 images to identify a smartphone camera,” said Dr Ren, “but our research shows that’s not the case.” The study provides a detailed example of how such a system might work. First, a customer registers with a business – such as a bank or retailer – that regularly needs to check their identity and provides them with a photograph that serves as a reference. Part of that registration process would involve supplying a photograph taken by their smartphone, from which a reference copy of their PRNU could be obtained. From there, whenever the customer needed to prove their identity to authenticate a transaction, they would be presented with an image of two QR codes – a two-dimensional barcode comprising black squares arranged in a grid on a white background, displayed on the screen of an ATM or cash register. The user would take a photograph of that display using their phone, then use an app to send the image to the service provider. As long as the PRNU in the picture of the QR codes matched the one on file for that user, their identity would be confirmed and the transaction would be