Hacker clones a politician’s fingerprint using normal, long-distance public photos
A member of the Chaos Computer Club — a European hacker association, perhaps a bit like the Cult of the Dead Cow in the US — has shown that it’s possible to reproduce someone’s fingerprint, and thus break into systems protected by biometric fingerprint scanners, using just a photo of someone’s finger. We’re not talking about some close-up macro photo, either: If you can snap a photo of a celebrity or politician waving their hand, that would probably be enough. In this case, the member of the CCC managed to get the fingerprint of Germany’s defense minister Ursula von der Leyen from a photo taken a press conference — which, if the German government uses biometric access control systems, could be a bit of a security breach.
The hacker, Jan “Starbug” Krissler, presented his findings at Chaos Communication Congress earlier today. Using a photo of von der Leyen’s thumb obtained from a press conference in October, plus some other photos of her thumb from different angles, he was able to rebuild her thumbprint using the commercially available VeriFinger software. He then used this thumbprint to create a real-world dummy — by printing it out on a mask, exposing the mask to create a negative of the print on a substrate, and then filling the negative with wood glue to create a positive fingerprint.
In testing, this technique can trick Apple’s TouchID sensor — and if von der Leyen happens to own an iPhone, and Starbug can get his hands on it, she could be in trouble. We can only hope that Germany’s military systems use more than just fingerprints for access control.
The full talk from the Chaos Communication Congress is below — it’s in German, but there’s also a PowerPoint presentation that’s easy to follow.
As you probably know, fingerprints have been used as a way of ascertaining someone’s identity for a long time — since around 1900, in fact. In the last 10 years or so, digital fingerprint readers have started to become fairly common as well — first on expensive laptops and external peripherals in enterprise settings, and most recently on smartphones like the newer iPhones and the Galaxy S5.
Read: ATMs running Windows XP robbed with infected USB sticks – yes, most ATMs still run Windows
The photo of German defence minister Ursula von der Leyen’s thumb that Starbug used to reverse engineer her thumbprint
The problem is, fingerprints are not particularly reliable — they can produce false positives, false negatives, and multiple readings of the same print can give different results. Fingerprints (for biometrics and forensics) are better than nothing, but there is a reason that both the security and forensic communities are moving away from them towards more reliable and valid techniques. DNA sequencing is a far better option when it comes to forensic identification, and “living” biometrics such as vein matching and gait analysis are better options for access control.
The main advantage of “living” biometrics is that, as the name implies, they don’t work if the person isn’t alive: Vein matching, which maps the flow of hemoglobin through blood vessels (usually in your finger), doesn’t work if your heart is no longer pumping — so you can’t use a photo of someone’s finger to fool the system (and nor can a criminal chop someone’s finger off). Some cash machines (ATMs) in Japan and Poland are already using vein analysis for authentication. Gait analysis, which is quite literally how someone walks around (step length, width, rotation of your joints), might sound a bit dumb — but it’s surprisingly accurate, and obviously very hard for someone to imitate or steal.
Finally, a security advisory: If you are currently using your fingerprint to secure important data, you may want to start wearing gloves in public.
Now read: Researchers crack the world’s toughest encryption by listening to the tiny sounds made by your computer’s CPU
- Thanks for reading Hacker clones a politician’s fingerprint using normal, long-distance public photos