Chaos Computer Club Demonstrates How to Reproduce Fingerprints Using Public Photos

[MacRumors]

The Chaos Computer Club (CCC) claims that it can reproduce fingerprints to overcome security measures from simple photos of a user's fingers, reports VentureBeat. CCC member Jan "Starbug" Krissler presented his method for recreating a fingerprint at the group's annual convention in Hamburg, Germany over the weekend, as he generated the thumbprint of German Defense Minister Ursula von der Leyen by using a public photo and computer program VeriFinger.

Image credit: Gizmodo​

​

Instead, he explained how fingerprints can be snatched from persons at public events by simply using a "standard photo camera."

The main source was a close-up picture of von der Leyen's thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.

The CCC demonstrated last year how it could bypass Apple's Touch ID fingerprint sensor with a photo of the original user's fingerprint. The newest method presented by the group does not require a hacker to obtain a physical object to recreate the fingerprint, although Krissler notes that other security methods like facial recognition can also easily be fooled through similar means. The group and Krissler hope to highlight the potential exploits in newer technology, and also noted that additional security layers like passwords should also be activated to secure information properly.

Article Link: Chaos Computer Club Demonstrates How to Reproduce Fingerprints Using Public Photos

 

[silentmajority]

Boy, are they going to be disappointed after they go through all that trouble to get access to my iPhone...

 

[Zxxv]

The world gives us nice things and people spoil them with their dishonesty.

Honesty - The best security known to humankind

 

[DanielSw]

What a pathetic and criminal waste of effort.

 

[djgamble]

The world gives us nice things and people spoil them with their dishonesty.

Honesty - The best security known to humankind

If that existed there'd be no need for any security... you'd just leave your phone unlocked on the table at Maccas while ordering your burger and it'd be there (untouched) when you returned.

 

[jlwarlow]

This is why we have 2 factor: something we have (fingerprint, token generator) and something we know - password/PIN. These systems are there to make it harder to get into something, unfortunately nothing makes it impossible to get into.

 

[Mike MA]

What a pathetic and criminal waste of effort.

Well, they're basically pointing towards security issues and also consult in this area, they are not criminal or hackers.

 

[LordDeath]

What a pathetic and criminal waste of effort.

Why??

He is just showing the conceptional weaknesses of biometrical authentication. You are leaking this data everywhere without any control over it and unlike passwords you can't change your fingerprints or iris that easily.

Please have a look at: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html

In my opinion it is very ethical to point out these issues to a broader audience.

 

[2457282]

I think for most people this is not a problem - who is going to go to all the trouble of taking pictures of my fingers and creating a fake print to get into my phone? Now if I were someone well known, this could be a problem. Or if I were in trouble with the authorities they can use this to get into my phone.

I think this is important to undertand and look at as it validates the need for two factor authentication in some situations.

 

[Rogifan]

So did someone actually bypass Touch ID using a fingerprint from a smartphone camera? In order to do it on mine someone would need a photo of my thumb. Where are they getting that from? I don't take photos of my thumb and neither does anyone I know.

----------

I think for most people this is not a problem - who is going to go to all the trouble of taking pictures of my fingers and creating a fake print to get into my phone? Now if I were someone well known, this could be a problem. Or if I were in trouble with the authorities they can use this to get into my phone.

I think this is important to undertand and look at as it validates the need for two factor authentication in some situations.

Do we have an example of police or government agencies forcing someone to take photos of their fingers and then using those photos to create a fake fingerprint to get access to your device? Sounds like something tin-foil hat wearers would believe but never happen in real life.

 

[silentmajority]

I understand what and why they are doing this, but the fact is that the TouchID works better than 4-digit password. I don't have the TouchID activated because I am expecting Fort Knox I have it activated to keep unwanted people (not necessarily nefarious people) from picking up my phone and texting, calling, snooping through my stuff without my knowledge or permission.

Now if someone were to steal it they would have to go through all the steps listed above before I notice my phone was stolen and before I use 'Find My iPhone' to disable it.

The security of your phone is dependent on more than just the TouchID.

The TouchID remains the best security on a mobile device that is currently on the market. It's not perfect. It's not hack proof, but it is the best.

 

[dustinsc]

Why??

He is just showing the conceptional weaknesses of biometrical authentication. You are leaking this data everywhere without any control over it and unlike passwords you can't change your fingerprints or iris that easily.

Please have a look at: http://blog.dustinkirkland.com/2013/10/fingerprints-are-user-names-not.html

In my opinion it is very ethical to point out these issues to a broader audience.

I think people are frequently talking past each other when it comes to this issue. When it comes to securing state secrets or even confidential business information, you definitely don't want your fingerprint to be your only method of authentication. But for most people, your phone just needs a way to keep someone from accessing your information if you left your phone on a table. The combination of fingerprint and the post hoc remote locking via find my iPhone gets the job done better than a PIN for most users in most use cases.

 

[Rud3Bwoy]

This is why I scanned my toe print instead

 

[lincolntran]

I don't even take my own thumb pic let alone from many angles...

 

[JesperA]

Boy, are they going to be disappointed after they go through all that trouble to get access to my iPhone...

I can assure you that no one is interested in your iPhone anyway

 

[dustinsc]

I understand what and why they are doing this, but the fact is that the TouchID works better than 4-digit password. I don't have the TouchID activated because I am expecting Fort Knox I have it activated to keep unwanted people (not necessarily nefarious people) from picking up my phone and texting, calling, snooping through my stuff without my knowledge or permission.

Now if someone were to steal it they would have to go through all the steps listed above before I notice my phone was stolen and before I use 'Find My iPhone' to disable it.

The security of your phone is dependent on more than just the TouchID.

The TouchID remains the best security on a mobile device that is currently on the market. It's not perfect. It's not hack proof, but it is the best.

exactly. TouchID doesn't have to be perfect to be useful. It just has to be better than a PIN. It's easier to look over someone's shoulder (maybe with a discrete camera with video that can be slowed down) than it is to pull and use someone's fingerprint.

 

[0098386]

The TouchID remains the best security on a mobile device that is currently on the market. It's not perfect. It's not hack proof, but it is the best.

What metric are you using to determine that it's the best? I use TouchID, I know it's not the best, but I still use it. I know passwords are the best (various medium-sized business owners I know use 8 character passwords on their phones, rather than the 4 digit number code). I imagine something long like that, that requires you to be awake to enter would be more secure and "best".

 

[snorkelman]

a big thumbs up to CCC for highlighting this important issue

 

[maflynn]

I think for the most part, no security scheme is air tight. For the majority of people, this is a non-issue.

 

[Binarymix]

All these methods of re-creating a fingerprint to unlock a phone, when a gun to the persons head is a much faster option. Or cutting off their finger for that matter.

Usually if you're after a persons private information on a phone, the person isn't going to be far away. May as well utilize the person to get your job done faster. I mean you're gonna break the law anyways.

 

[chuloo]

I always wear gloves when I sleep, in case some is trying to snap a photo of my thumb I'll notice.

 

[JHankwitz]

What a pathetic and criminal waste of effort.

You've got that right. Wouldn't it be easier to just enter the 10,000 passwords (0000-9999)?

 

[mercuryjones]

Ha! Fooled them. I used someone else's fingerprint as my unlock. Of course, everytime I want to unlock my phone, I have to track that person down, but at least "they" can't get into my phone with a picture of my fingerprint.

 

[furi0usbee]

You've got that right. Wouldn't it be easier to just enter the 10,000 passwords (0000-9999)?

Well I remember the old saying that most lottery jackpots are won by quick picks because people tend to play birthdays. So going by that method, it stands to reason that people would use the same MM/YY thinking or YYYY for their 4 digit passwords. So if you know how old someone is, or their kids, etc. your chances of choosing their password would be much higher. Of course other things stand in your way, like iPhone reset after 10 failed attempts, as well as the delay between attempts, etc.

 

[Morgenland]

Intelligence Services in China and... elsewhere

Fingerprints data bases are feeded every day by officers (e.g. police) world wide.

Was just one hint beyond the CCC presentation:
Intelligence services can take them over and connect it with appropriate technology (rapid prototype). They won't waste time in taking high-res photos.