Fingerprint Theft Just a Shutter Click Away

source:  |  image:


Ever since smartphone makers started incorporating fingerprint scanners as a means of unlocking mobile phones, the Chaos Computer Club has attacked the technology with vigor. 

Not long after Apple added Touch ID to its iPhones, the German hackers demonstrated how to lift prints from a surface and create a flexible pad containing the print that could be used to break into a phone.

Now the CCC hacker known as “Starbug” has used digital photography to perform the same trick without lifting any prints at all. At a recent cybersecurity conference, Starbug demonstrated how he created the thumb print of German Minister of Defense Ursula von der Leyen from several news photos.

“After this talk, politicians will presumably wear gloves when talking in public,” Starbug said.

The process takes some effort. After finding some high-resolution photos, the fingerprint needs to be outlined on tracing paper, copied onto a plastic board, covered with graphite, then coated with wood glue to create the pad containing the print. The materials to perform the operation can be assembled for about US$200.

‘Holy Cow’ Moment

While Starbug may have created something that looks like the defense minister’s fingerprint, one expert questioned other claims made by the hacker.

“If he can take that fingerprint to a scanner at the Ministry of Defense and make that scanner think he’s the minister of defense, then he has done something, but I don’t believe he’s done that,” said Chace Hatcher, CEO of Diamond Fortress.

“The Chaos Computer Club is suffering from what it accuses the biometric industry of suffering from: hyperbole,” he told TechNewsWorld.

“The Chaos Computer Club is pointing out weaknesses in the system, and that’s a necessary and admirable thing, but this isn’t the ‘Holy Cow’ moment Starbug purports it to be,” Hatcher said. “The idea that public officials are going to start wearing gloves because of this is ludicrous.”

Fingerprints From Selfies?

Given the number of selfies posted to the Internet every day, should we start worrying about hackers lifting our fingerprints from those images?

“Most ordinary photographs are not high-resolution enough to detect all the necessary ridges in a fingerprint,” said Harry Sverdlove, CTO of Bit9 + Carbon Black.

Even if a high-resolution photo were posted to a social media site, it’s unlikely it could be used for capturing fingerprints.

“When posted online on social media sites, images are typically compressed or reduced in quality,” Sverdlove told TechNewsWorld.

Social media is better used to make educated guesses about a person’s security questions than for capturing their fingerprints, he observed.

“Biometrics is a nice additional layer to other security measures like passwords and smart cards, but it has its limitations,” added Sverdlove. “Not only can things like fingerprint and facial recognition sensors be fooled, but unlike other forms of security, biometrics cannot be easily changed. A person cannot easily change his or her fingerprint.”

Notching Up Creepy

Biometrics should not be used alone to authenticate a person’s identity, said Catherine Pearce, a security consultant with Neohapsis.

“This is especially true if it is also the means of identification,” she told TechNewsWorld.

“Each time you use a password, it becomes a little less secret and a little less secure,” said Pearce. “Fingerprints now also become less secure over time, but we can’t change them. This is why most biometric systems are multiple factor, such as a password and a fingerprint, because at least you can change a password if it becomes compromised.”

Lifting fingerprints from a surface and using them to defeat scanners is creepy, but Starbug has taken that creepiness to another level, in Pearce’s view.

“The fact that this attack is able to be done with no direct contact makes it scarier,” she said.

“Previously, the concern has been for things we touch,” Pearce noted, “but now it’s anyone within enough distance to photograph us that can become a threat.”