New technique uses photographs to crack fingerprint security technology

Chuck Bednar for redOrbit.com – Your Universe Online

A German hacker has found a way to fool Touch ID or similar security software into giving you access simply by using a photograph of the actual owner’s fingerprint.

Speaking at the 31st annual Chaos Computer Club conference in Hamburg on Saturday, Jan “Starbug” Krissler demonstrated the technique by making a fake fingerprint of German defense minister Ursula von der Leyen, thanks to a high-quality picture from a press conference.

Using the photograph and VeriFinger, a commercial program that is used to build software to be utilized in fingerprint scanner hardware, Krissler showed that it was possible to bypass the sensor without having to get close to a subject, Popular Science reported on Monday.

“Previous hacks of fingerprint sensors have generally required either access to the finger, or the ability to lift a fingerprint from a surface such as a glass,” the website said, noting that typically would require “some Mission Impossible or James Bond-style shenanigans” – unless, of course, you already know the person whose phone you’re trying to hack into.

So how did he do it? According to the Daily Mail, Krissler used a “standard photo camera” to snap a high-resolution image of the politician’s thumb during a press conference, and used it in combination with other “good quality” photos and the VeriFinger software. Ultimately, he was able to create an accurate thumbprint that could fool fingerprint-based security systems.

However, actually accomplishing the feat isn’t as easy as it might sound. For instance, in order to reconstruct Von der Leyen’s entire fingerprint, Krissler had to capture pictures from multiple different angles. In addition, a hacker would need to have physical access to their victim’s phone, and the odds of this technique being used to target a random user is extremely low.

“This is more of a risk for high profile people who are being actively targeted,” Popular Science explained. While the research “might prompt politicians and public figures to wear gloves when making appearances… this hardly presents a clear and present danger to biometric security.”

“Fingerprint identification simply remains a more convenient method to secure one’s data than, say, a lengthy and obscure password,” the website added. “Of course, one would hope that people at risk of being targeted… would employ more significant security measures – such as multiple authentication factors – to secure any truly sensitive data.”

CCC first published the steps taken to bypass fingerprint scanners in 2004, the Daily Mail said, and since their technique used everyday household items, they claimed that anyone could do it. Then in September 2013, the hackers took a photograph of a fingerprint on a glass surface, scanned it and used a laser printer to print it onto a transparent sheet.

Next, they poured latex milk or white wood glue into the print pattern created by the toner onto a transparent sheet. Once the glue dried, they peeled off a thin latex sheet and pressed it onto the scanner of a new model iPhone. Despite Apple’s claims that the device’s fingerprint sensor was “much more secure than previous fingerprint technology,” they were able to unlock the unit.

“It’s worth remembering that fingerprints are not secrets. You literally leave them lying around everywhere you go, and they could be picked up by others,” security expert Graham Cluely told the UK newspaper. “Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect.”

—–

Follow redOrbit on TwitterFacebookInstagram and Pinterest.