Hacker clones a politician’s fingerprint using normal, long-distance public photos

Status
Not open for further replies.

viktik

Level 25
Thread author
Verified
Well-known
Sep 17, 2013
1,492
fingerprint-from-a-photo-of-a-finger-640x360.jpg



A member of the Chaos Computer Club — a European hacker association, perhaps a bit like the Cult of the Dead Cow in the US — has shown that it’s possible to reproduce someone’s fingerprint, and thus break into systems protected by biometric fingerprint scanners, using just a photo of someone’s finger. We’re not talking about some close-up macro photo, either: If you can snap a photo of a celebrity or politician waving their hand, that would probably be enough. In this case, the member of the CCC managed to get the fingerprint of Germany’s defense minister Ursula von der Leyen from a photo taken a press conference — which, if the German government uses biometric access control systems, could be a bit of a security breach.

The hacker, Jan “Starbug” Krissler, presented his findings at Chaos Communication Congress earlier today. Using a photo of von der Leyen’s thumb obtained from a press conference in October, plus some other photos of her thumb from different angles, he was able to rebuild her thumbprint using the commercially available VeriFinger software. He then used this thumbprint to create a real-world dummy — by printing it out on a mask, exposing the mask to create a negative of the print on a substrate, and then filling the negative with wood glue to create a positive fingerprint.

In testing, this technique can trick Apple’s TouchID sensor — and if von der Leyen happens to own an iPhone, and Starbug can get his hands on it, she could be in trouble. We can only hope that Germany’s military systems use more than just fingerprints for access control.

The full talk from the Chaos Communication Congress is below — it’s in German, but there’s also a PowerPoint presentation that’s easy to follow.

As you probably know, fingerprints have been used as a way of ascertaining someone’s identity for a long time — since around 1900, in fact. In the last 10 years or so, digital fingerprint readers have started to become fairly common as well — first on expensive laptops and external peripherals in enterprise settings, and most recently on smartphones like the newer iPhones and the Galaxy S5.




The photo of German defence minister Ursula von der Leyen’s thumb that Starbug used to reverse engineer her thumbprint

The problem is, fingerprints are not particularly reliable — they can produce false positives, false negatives, and multiple readings of the same print can give different results. Fingerprints (for biometrics and forensics) are better than nothing, but there is a reason that both the security and forensic communities are moving away from them towards more reliable and valid techniques. DNA sequencing is a far better option when it comes to forensic identification, and “living” biometrics such as vein matching and gait analysis are better options for access control.

The main advantage of “living” biometrics is that, as the name implies, they don’t work if the person isn’t alive: Vein matching, which maps the flow of hemoglobin through blood vessels (usually in your finger), doesn’t work if your heart is no longer pumping — so you can’t use a photo of someone’s finger to fool the system (and nor can a criminal chop someone’s finger off). Some cash machines (ATMs) in Japan and Poland are already using vein analysis for authentication. Gait analysis, which is quite literally how someone walks around (step length, width, rotation of your joints), might sound a bit dumb — but it’s surprisingly accurate, and obviously very hard for someone to imitate or steal.

Finally, a security advisory: If you are currently using your fingerprint to secure important data, you may want to start wearing gloves in public.
 
  • Like
Reactions: tallorder and scot

viktik

Level 25
Thread author
Verified
Well-known
Sep 17, 2013
1,492
using fingerprints is stupid because you can't hide your fingerprint. It really does not matter if you want to give your finger print to someone or not. Anyone motivated enough can get your fingerprint without you knowing about it.

Someone could get it for free in objects you touch. So I personally think using fingerprint for security is stupid.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top