Chaos Computer Club Demonstrates How to Reproduce Fingerprints Using Public Photos

Discussion in 'iOS Blog Discussion' started by MacRumors, Dec 29, 2014.

  1. MacRumors macrumors bot


    Apr 12, 2001

    The Chaos Computer Club (CCC) claims that it can reproduce fingerprints to overcome security measures from simple photos of a user's fingers, reports VentureBeat. CCC member Jan "Starbug" Krissler presented his method for recreating a fingerprint at the group's annual convention in Hamburg, Germany over the weekend, as he generated the thumbprint of German Defense Minister Ursula von der Leyen by using a public photo and computer program VeriFinger.

    Image credit: Gizmodo
    The CCC demonstrated last year how it could bypass Apple's Touch ID fingerprint sensor with a photo of the original user's fingerprint. The newest method presented by the group does not require a hacker to obtain a physical object to recreate the fingerprint, although Krissler notes that other security methods like facial recognition can also easily be fooled through similar means. The group and Krissler hope to highlight the potential exploits in newer technology, and also noted that additional security layers like passwords should also be activated to secure information properly.

    Article Link: Chaos Computer Club Demonstrates How to Reproduce Fingerprints Using Public Photos
  2. silentmajority macrumors member

    May 3, 2013
    Boy, are they going to be disappointed after they go through all that trouble to get access to my iPhone...
  3. Zxxv macrumors 68040

    Nov 13, 2011
    The world gives us nice things and people spoil them with their dishonesty.

    Honesty - The best security known to humankind
  4. DanielSw macrumors 6502


    Aug 31, 2009
    Clearwater, FL
    What a pathetic and criminal waste of effort.
  5. djgamble macrumors 6502a

    Oct 25, 2006
    If that existed there'd be no need for any security... you'd just leave your phone unlocked on the table at Maccas while ordering your burger and it'd be there (untouched) when you returned.
  6. jlwarlow macrumors regular


    Oct 10, 2008
    Leicestershire, UK
    This is why we have 2 factor: something we have (fingerprint, token generator) and something we know - password/PIN. These systems are there to make it harder to get into something, unfortunately nothing makes it impossible to get into.
  7. Mike MA macrumors 68020

    Mike MA

    Sep 21, 2012
    Well, they're basically pointing towards security issues and also consult in this area, they are not criminal or hackers.
  8. LordDeath macrumors member

    Feb 28, 2013

    He is just showing the conceptional weaknesses of biometrical authentication. You are leaking this data everywhere without any control over it and unlike passwords you can't change your fingerprints or iris that easily.

    Please have a look at:

    In my opinion it is very ethical to point out these issues to a broader audience.
  9. 2457282 Suspended

    Dec 6, 2012
    I think for most people this is not a problem - who is going to go to all the trouble of taking pictures of my fingers and creating a fake print to get into my phone? Now if I were someone well known, this could be a problem. Or if I were in trouble with the authorities they can use this to get into my phone.

    I think this is important to undertand and look at as it validates the need for two factor authentication in some situations.
  10. Rogifan macrumors Core


    Nov 14, 2011
    So did someone actually bypass Touch ID using a fingerprint from a smartphone camera? In order to do it on mine someone would need a photo of my thumb. Where are they getting that from? I don't take photos of my thumb and neither does anyone I know.


    Do we have an example of police or government agencies forcing someone to take photos of their fingers and then using those photos to create a fake fingerprint to get access to your device? Sounds like something tin-foil hat wearers would believe but never happen in real life.
  11. silentmajority macrumors member

    May 3, 2013
    I understand what and why they are doing this, but the fact is that the TouchID works better than 4-digit password. I don't have the TouchID activated because I am expecting Fort Knox I have it activated to keep unwanted people (not necessarily nefarious people) from picking up my phone and texting, calling, snooping through my stuff without my knowledge or permission.

    Now if someone were to steal it they would have to go through all the steps listed above before I notice my phone was stolen and before I use 'Find My iPhone' to disable it.

    The security of your phone is dependent on more than just the TouchID.

    The TouchID remains the best security on a mobile device that is currently on the market. It's not perfect. It's not hack proof, but it is the best.
  12. dustinsc macrumors regular

    Nov 21, 2009
    I think people are frequently talking past each other when it comes to this issue. When it comes to securing state secrets or even confidential business information, you definitely don't want your fingerprint to be your only method of authentication. But for most people, your phone just needs a way to keep someone from accessing your information if you left your phone on a table. The combination of fingerprint and the post hoc remote locking via find my iPhone gets the job done better than a PIN for most users in most use cases.
  13. Rud3Bwoy Suspended


    Oct 9, 2011
  14. lincolntran macrumors 6502a


    Jan 18, 2010
    I don't even take my own thumb pic let alone from many angles...
  15. JesperA macrumors 6502a

    Feb 10, 2012
    I can assure you that no one is interested in your iPhone anyway
  16. dustinsc macrumors regular

    Nov 21, 2009
    exactly. TouchID doesn't have to be perfect to be useful. It just has to be better than a PIN. It's easier to look over someone's shoulder (maybe with a discrete camera with video that can be slowed down) than it is to pull and use someone's fingerprint.
  17. 0098386 Suspended


    Jan 18, 2005
    What metric are you using to determine that it's the best? I use TouchID, I know it's not the best, but I still use it. I know passwords are the best (various medium-sized business owners I know use 8 character passwords on their phones, rather than the 4 digit number code). I imagine something long like that, that requires you to be awake to enter would be more secure and "best".
  18. snorkelman macrumors 6502a


    Oct 25, 2010
    a big thumbs up to CCC for highlighting this important issue :D
  19. maflynn Moderator


    Staff Member

    May 3, 2009
    I think for the most part, no security scheme is air tight. For the majority of people, this is a non-issue.
  20. Binarymix macrumors 65816

    Nov 1, 2007
    All these methods of re-creating a fingerprint to unlock a phone, when a gun to the persons head is a much faster option. Or cutting off their finger for that matter.

    Usually if you're after a persons private information on a phone, the person isn't going to be far away. May as well utilize the person to get your job done faster. I mean you're gonna break the law anyways.
  21. chuloo macrumors member


    Jun 24, 2010
    I always wear gloves when I sleep, in case some is trying to snap a photo of my thumb I'll notice.
  22. JHankwitz macrumors 68000

    Oct 31, 2005
    You've got that right. Wouldn't it be easier to just enter the 10,000 passwords (0000-9999)?
  23. mercuryjones macrumors 6502a

    May 31, 2005
    College Station, TX
    Ha! Fooled them. I used someone else's fingerprint as my unlock. Of course, everytime I want to unlock my phone, I have to track that person down, but at least "they" can't get into my phone with a picture of my fingerprint.
  24. furi0usbee macrumors 68000


    Jul 11, 2008
    Well I remember the old saying that most lottery jackpots are won by quick picks because people tend to play birthdays. So going by that method, it stands to reason that people would use the same MM/YY thinking or YYYY for their 4 digit passwords. So if you know how old someone is, or their kids, etc. your chances of choosing their password would be much higher. Of course other things stand in your way, like iPhone reset after 10 failed attempts, as well as the delay between attempts, etc.
  25. Morgenland macrumors 6502a


    May 28, 2009
    Intelligence Services in China and... elsewhere

    Fingerprints data bases are feeded every day by officers (e.g. police) world wide.

    Was just one hint beyond the CCC presentation:
    Intelligence services can take them over and connect it with appropriate technology (rapid prototype). They won't waste time in taking high-res photos.

Share This Page

87 December 29, 2014