Fingerprint from photo

Admittedly, Touch ID has popularized and mainstreamed biometric security on mobile devices using an impression made on a surface by the inner part of the top joint of a finger.

Having debuted on the iPhone 5s, Apple’s in-house sensor built into the Home button is based on a sophisticated technology by Israeli smart sensor maker AuthenTec, which the Cupertino firm snapped up in July of 2012 for a reported $356 million.

However, existing fingerprint-based security solutions could be easily bypassed by generating a fingerprint image from a series of photos of someone’s finger, no physical print necessary whatsoever, according to claims by Chaos Computer Club, Europe’s largest association of hackers.

As relayed by VentureBeat, the hackers have now successfully demonstrated a proof-of-concept by copying the thumbprint of German Defense Minister Ursula von der Leyen.

They used a close-up photograph of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles, said Jan Krissler aka “Starbug” at the 31st annual Chaos Computer Club convention in Hamburg, Germany.

According to the hacker, they’ve used commercially available software called VeriFinger to generate a working fingerprint from photographs (his full talk in German is available on YouTube).

A similar method can be used to fool other security methods like facial recognition, he claimed in showing the conceptional weaknesses of biometrical authentication.

Chaos Computer Club may sound familiar: last year, they successfully circumvented Apple’s Touch ID protection with a technique referred to as “fake finger.”

Fingerprint

It involves taking a very high-resolution photo (2400 dpi) of a person’s fingerprint and printing it on a transparent sheet with a thick toner setting before filling it in with pink latex milk to create a fingerprint replica which can be placed onto the Touch ID sensor to unlock an iPhone.

As opposed to copying someone’s thumbprint from an object with a polished surface, Chaos’s latest technique doesn’t even require a physical fingerprint and as such could be worrisome to some.

Fingerprints that can be used for biometric authentication can be easily snatched from persons at public events by simply using a “standard photo camera,” Krissler said and expressed hopes that “politicians will presumably wear gloves when talking in public.”

On the other hand, it’s worth underscoring that Chaos Computer Club has not proved (yet) that the fingerprint replica generated from a series of photos of someone’s finger could be in fact tapped to bypass Touch ID.

There’s no such thing as the unbreakable biometric security system and Touch ID is no exception. Biometric security is typically augmented with other layers of security like passwords or, in the case of iPhones, pin codes.

Because biometrics alone shouldn’t be used to authenticate an identity, Apple requires that you create a passcode when setting up Touch ID on your device. As another layer of security, you must punch in your passcode to unlock the device after each restart, and your Apple ID password to re-authorize App Store purchases via Touch ID.

Touch ID Home button

Although Apple has improved the reliability, performance and security of Touch ID with the release of the iPhone 6, iPad Air 2 and iPad mini 3, the system can still be bypassed, as mentioned before.

That doesn’t mean you should disable Touch ID on your device. Apple’s fingerprint sensing is a great convenience: not only can you unlock the device and approve App Store purchases with it, but also use it to protect content in a growing list of compatible third-party applications.

An attacker would have to possess considerable skills, have access to the pricey equipment and the resources to pull off such a feat. Fortunately, that’s outside the realm of the average user who has a limited skill set and basic knowledge of biometric security.

[VentureBeat]

Image top of post: Gizmodo.

  • Merman123

    This is not “easy.”

    • True but is shows how much easier it is to get a fingerprint rather than a passcode saved in your (brains) memory. It faster to use a finger but safer not use actual passwords/codes in most cases.

      • Except you need both if your device has been powered off…

      • Except it is not very common to power off your smart device now a days.

      • I do it all of the time. It also requires a passcode if your device crashes or restarts for whatever reason too…

      • I mean before sleeping. People rarely shut it off before going to sleep. Thats when its most vulnerable. just supposed some one drugs a person to gain access, odds are your device is on and your password has been entered.

      • True. FindMyiPhone can fix that though 80% of the time as long as the phone has a signal…

      • True but utterly useless if you have no access to it.

      • You track it, report it to the police and find it. There’s many success stories of people using FindMyiPhone…
        I think most criminals won’t be sophisticated enough to fake fingerprints anyway. It’s have to be a really well done operation just to steal one iPhone. They’d be better off trying their luck with more insecure phones…
        Let’s say someone with the knowledge to clone your fingerprint did get your phone even then I might be wrong but think Touch ID will timeout after a while and ask for your password anyway…

      • You don’t understand, Were not talking about the device being stolen. Just about the safety of having your device locked with only your fingerprint. Lets say someone puts you to sleep access your device gets what ever info they need and thats it.. FindMyiPhone has no use in this case…

      • This is why you either power your device off (and turn it back on if necessary) or wait for Touch ID to timeout and ask for your passcode again. This is really common sense, don’t leave your phone unwatched protected by just your finger…

      • Of course, but a majority of users don’t do either and assume that it is more secure that’s all I am saying.

      • EetChit

        Good thing that iphones also require your passcode/password after a random period of inactivity between a few hours to 2 days as well as after any restart too.

      • Antonio Fonseca

        You need to capture a good enough digital and reproduce that with high precision before you can use it. And if the biometric authentication system add an external aleatory seed, all your all your effort will be in vain.

  • Jonathan Dawson

    “Any attacker would have to possess considerable skills, have access to the pricey equipment and the resources to pull off the feat”. yeah, sounds pretty easy.

  • pnh

    Much easier to just cut the person’s finger off and use that 😉

    • Very true. Or just wait until there sleep, less bloody that way lol.

    • Alex Blaha

      It needs to be alive in order to work, but ya.

      • Nevertrending

        Just heat it in the microwave ^^

  • 9to5Slavery

    Could be worst. Could be a Samsung gimmick of an eye ball scanner.

  • arrontaylor

    Maybe the title of this should be “it’s POSSIBLE to create a fingerprint from a photo”, rather than “It’s EASY”…

  • Shripad Sonavnay

    Photos from now on ;p

  • arvindb02

    How exactly would someone manage to get a high resolution picture of your finger?

    • Ted Forbes

      For one, people walk with their hands down (and open) so just take a few shots of their hands, if its that important how hard can it be.

  • CollegiateLad

    I keep high resolution pics of people’s fingers in my back pocket.

  • jack

    “Fingerprints that can be used for biometric authentication can be easily snatched ” I don’t think it is “easy” to take tons of pictures of someone’s finger in public without attracting many attention. And plus you have to take photos of the correct finger, because not all people use the same finger in touchid/etc

  • diggitydang

    Sorry if off-topic, but my TouchID stopped working today on my JB 6+, 128GB, silver… Anyone else having this issue or know why?

    • diggitydang

      Seems to be Activator that’s doing it. Ughhhh… Cabt live without Activator… This is a sad day!!

    • diggitydang

      Ok. After trying to uninstall and reinstall it, I found that resetting the settings got it working again, in case anyone is interested in the solution.

  • Antonio Fonseca

    Link bait. This is not easy.

  • In other news, it is easy to create a video of you manually enter your password. It have been proven that the same numbers that appears in the video will get your victim’s phone unlocked.