MacRumors

macrumors bot
Original poster
Apr 12, 2001
53,013
14,753



The Chaos Computer Club (CCC) claims that it can reproduce fingerprints to overcome security measures from simple photos of a user's fingers, reports VentureBeat. CCC member Jan "Starbug" Krissler presented his method for recreating a fingerprint at the group's annual convention in Hamburg, Germany over the weekend, as he generated the thumbprint of German Defense Minister Ursula von der Leyen by using a public photo and computer program VeriFinger.

cccfingerprint.png
Image credit: Gizmodo
Instead, he explained how fingerprints can be snatched from persons at public events by simply using a "standard photo camera."

The main source was a close-up picture of von der Leyen's thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.
The CCC demonstrated last year how it could bypass Apple's Touch ID fingerprint sensor with a photo of the original user's fingerprint. The newest method presented by the group does not require a hacker to obtain a physical object to recreate the fingerprint, although Krissler notes that other security methods like facial recognition can also easily be fooled through similar means. The group and Krissler hope to highlight the potential exploits in newer technology, and also noted that additional security layers like passwords should also be activated to secure information properly.

Article Link: Chaos Computer Club Demonstrates How to Reproduce Fingerprints Using Public Photos
 

silentmajority

macrumors member
May 3, 2013
53
12
Boy, are they going to be disappointed after they go through all that trouble to get access to my iPhone...
 
Comment

Zxxv

macrumors 68040
Nov 13, 2011
3,558
1,104
UK
The world gives us nice things and people spoil them with their dishonesty.

Honesty - The best security known to humankind
 
Comment

djgamble

macrumors 6502a
Oct 25, 2006
884
378
The world gives us nice things and people spoil them with their dishonesty.

Honesty - The best security known to humankind

If that existed there'd be no need for any security... you'd just leave your phone unlocked on the table at Maccas while ordering your burger and it'd be there (untouched) when you returned.
 
Comment

jlwarlow

macrumors regular
Oct 10, 2008
143
65
Leicestershire, UK
This is why we have 2 factor: something we have (fingerprint, token generator) and something we know - password/PIN. These systems are there to make it harder to get into something, unfortunately nothing makes it impossible to get into.
 
Comment

LordDeath

macrumors member
Feb 28, 2013
46
24
Comment

2457282

Suspended
Dec 6, 2012
3,327
3,014
I think for most people this is not a problem - who is going to go to all the trouble of taking pictures of my fingers and creating a fake print to get into my phone? Now if I were someone well known, this could be a problem. Or if I were in trouble with the authorities they can use this to get into my phone.

I think this is important to undertand and look at as it validates the need for two factor authentication in some situations.
 
Comment

Rogifan

macrumors Core
Nov 14, 2011
22,543
28,501
So did someone actually bypass Touch ID using a fingerprint from a smartphone camera? In order to do it on mine someone would need a photo of my thumb. Where are they getting that from? I don't take photos of my thumb and neither does anyone I know.

----------

I think for most people this is not a problem - who is going to go to all the trouble of taking pictures of my fingers and creating a fake print to get into my phone? Now if I were someone well known, this could be a problem. Or if I were in trouble with the authorities they can use this to get into my phone.

I think this is important to undertand and look at as it validates the need for two factor authentication in some situations.

Do we have an example of police or government agencies forcing someone to take photos of their fingers and then using those photos to create a fake fingerprint to get access to your device? Sounds like something tin-foil hat wearers would believe but never happen in real life.
 
Comment

silentmajority

macrumors member
May 3, 2013
53
12
I understand what and why they are doing this, but the fact is that the TouchID works better than 4-digit password. I don't have the TouchID activated because I am expecting Fort Knox I have it activated to keep unwanted people (not necessarily nefarious people) from picking up my phone and texting, calling, snooping through my stuff without my knowledge or permission.

Now if someone were to steal it they would have to go through all the steps listed above before I notice my phone was stolen and before I use 'Find My iPhone' to disable it.

The security of your phone is dependent on more than just the TouchID.

The TouchID remains the best security on a mobile device that is currently on the market. It's not perfect. It's not hack proof, but it is the best.
 
Comment

dustinsc

macrumors regular
Nov 21, 2009
230
52
Why??

He is just showing the conceptional weaknesses of biometrical authentication. You are leaking this data everywhere without any control over it and unlike passwords you can't change your fingerprints or iris that easily.

Please have a look at: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html

In my opinion it is very ethical to point out these issues to a broader audience.

I think people are frequently talking past each other when it comes to this issue. When it comes to securing state secrets or even confidential business information, you definitely don't want your fingerprint to be your only method of authentication. But for most people, your phone just needs a way to keep someone from accessing your information if you left your phone on a table. The combination of fingerprint and the post hoc remote locking via find my iPhone gets the job done better than a PIN for most users in most use cases.
 
Comment

dustinsc

macrumors regular
Nov 21, 2009
230
52
I understand what and why they are doing this, but the fact is that the TouchID works better than 4-digit password. I don't have the TouchID activated because I am expecting Fort Knox I have it activated to keep unwanted people (not necessarily nefarious people) from picking up my phone and texting, calling, snooping through my stuff without my knowledge or permission.

Now if someone were to steal it they would have to go through all the steps listed above before I notice my phone was stolen and before I use 'Find My iPhone' to disable it.

The security of your phone is dependent on more than just the TouchID.

The TouchID remains the best security on a mobile device that is currently on the market. It's not perfect. It's not hack proof, but it is the best.

exactly. TouchID doesn't have to be perfect to be useful. It just has to be better than a PIN. It's easier to look over someone's shoulder (maybe with a discrete camera with video that can be slowed down) than it is to pull and use someone's fingerprint.
 
Comment

0098386

Suspended
Jan 18, 2005
21,574
2,908
The TouchID remains the best security on a mobile device that is currently on the market. It's not perfect. It's not hack proof, but it is the best.

What metric are you using to determine that it's the best? I use TouchID, I know it's not the best, but I still use it. I know passwords are the best (various medium-sized business owners I know use 8 character passwords on their phones, rather than the 4 digit number code). I imagine something long like that, that requires you to be awake to enter would be more secure and "best".
 
Comment

maflynn

Moderator
Staff member
May 3, 2009
68,029
35,595
Boston
I think for the most part, no security scheme is air tight. For the majority of people, this is a non-issue.
 
Comment

Binarymix

macrumors 65816
Nov 1, 2007
1,110
343
All these methods of re-creating a fingerprint to unlock a phone, when a gun to the persons head is a much faster option. Or cutting off their finger for that matter.

Usually if you're after a persons private information on a phone, the person isn't going to be far away. May as well utilize the person to get your job done faster. I mean you're gonna break the law anyways.
 
Comment

chuloo

macrumors member
Jun 24, 2010
42
29
Sweden
I always wear gloves when I sleep, in case some is trying to snap a photo of my thumb I'll notice.
 
Comment

mercuryjones

macrumors 6502a
May 31, 2005
786
0
College Station, TX
Ha! Fooled them. I used someone else's fingerprint as my unlock. Of course, everytime I want to unlock my phone, I have to track that person down, but at least "they" can't get into my phone with a picture of my fingerprint.
 
Comment

furi0usbee

macrumors 68000
Jul 11, 2008
1,781
1,264
You've got that right. Wouldn't it be easier to just enter the 10,000 passwords (0000-9999)?

Well I remember the old saying that most lottery jackpots are won by quick picks because people tend to play birthdays. So going by that method, it stands to reason that people would use the same MM/YY thinking or YYYY for their 4 digit passwords. So if you know how old someone is, or their kids, etc. your chances of choosing their password would be much higher. Of course other things stand in your way, like iPhone reset after 10 failed attempts, as well as the delay between attempts, etc.
 
Comment

Morgenland

macrumors 65816
May 28, 2009
1,007
927
Europe
Intelligence Services in China and... elsewhere

Fingerprints data bases are feeded every day by officers (e.g. police) world wide.

Was just one hint beyond the CCC presentation:
Intelligence services can take them over and connect it with appropriate technology (rapid prototype). They won't waste time in taking high-res photos.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.