On the transferability of adversarial perturbation attacks against fingerprint based authentication systems

The growing availability of cheap and reliable fingerprint acquisition scanners is resulting in an increasing spread of Fingerprint-based Authentication Systems (FAS) in consumer electronics. This has giving rise to a new wave in research on both smarter spoofing attacks, aimed to bypass a FAS by using a counterfeit fingerprint, and on more effective Liveness Detectors (LD), aimed to discern authentic (live) fingerprints from fake ones. As in many other computer vision tasks, deep Convolutional Neural Networks (CNN) demonstrated to be very effective also for fingerprint liveness detection. However, we showed that it is possible to adapt adversarial perturbation approaches to mislead CNN-based LD. In this paper, we want to make a step further toward the design of a black-box attack by investigating whether it is possible to transfer a perturbation across different CNN liveness detectors in the case of a target LD very different from the one used to compute the perturbations. To this aim, we designed an attack scenario where a shadow LD (i.e. an adaptation of the substitute technique for the liveness detection application) is used to generate an adversarial fingerprint in a white-box setting before submitting it to the real target LD, invoked in a total back-box manner. Finally, we analysed the impact that such attack has on the authentication system, also analysing if and to what extent the scanner and the spoofing material combinations affect the success of the attack.