It’s easy to create a fingerprint from smartphone photos of someone’s finger

Fingerprint from photo

Admittedly, Touch ID has popularized and mainstreamed biometric security on mobile devices using an impression made on a surface by the inner part of the top joint of a finger.

Having debuted on the iPhone 5s, Apple’s in-house sensor built into the Home button is based on a sophisticated technology by Israeli smart sensor maker AuthenTec, which the Cupertino firm snapped up in July of 2012 for a reported $356 million.

However, existing fingerprint-based security solutions could be easily bypassed by generating a fingerprint image from a series of photos of someone’s finger, no physical print necessary whatsoever, according to claims by Chaos Computer Club, Europe’s largest association of hackers.

As relayed by VentureBeat, the hackers have now successfully demonstrated a proof-of-concept by copying the thumbprint of German Defense Minister Ursula von der Leyen.

They used a close-up photograph of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles, said Jan Krissler aka “Starbug” at the 31st annual Chaos Computer Club convention in Hamburg, Germany.

According to the hacker, they’ve used commercially available software called VeriFinger to generate a working fingerprint from photographs (his full talk in German is available on YouTube).

A similar method can be used to fool other security methods like facial recognition, he claimed in showing the conceptional weaknesses of biometrical authentication.

Chaos Computer Club may sound familiar: last year, they successfully circumvented Apple’s Touch ID protection with a technique referred to as “fake finger.”

Fingerprint

It involves taking a very high-resolution photo (2400 dpi) of a person’s fingerprint and printing it on a transparent sheet with a thick toner setting before filling it in with pink latex milk to create a fingerprint replica which can be placed onto the Touch ID sensor to unlock an iPhone.

As opposed to copying someone’s thumbprint from an object with a polished surface, Chaos’s latest technique doesn’t even require a physical fingerprint and as such could be worrisome to some.

Fingerprints that can be used for biometric authentication can be easily snatched from persons at public events by simply using a “standard photo camera,” Krissler said and expressed hopes that “politicians will presumably wear gloves when talking in public.”

On the other hand, it’s worth underscoring that Chaos Computer Club has not proved (yet) that the fingerprint replica generated from a series of photos of someone’s finger could be in fact tapped to bypass Touch ID.

There’s no such thing as the unbreakable biometric security system and Touch ID is no exception. Biometric security is typically augmented with other layers of security like passwords or, in the case of iPhones, pin codes.

Because biometrics alone shouldn’t be used to authenticate an identity, Apple requires that you create a passcode when setting up Touch ID on your device. As another layer of security, you must punch in your passcode to unlock the device after each restart, and your Apple ID password to re-authorize App Store purchases via Touch ID.

Touch ID Home button

Although Apple has improved the reliability, performance and security of Touch ID with the release of the iPhone 6, iPad Air 2 and iPad mini 3, the system can still be bypassed, as mentioned before.

That doesn’t mean you should disable Touch ID on your device. Apple’s fingerprint sensing is a great convenience: not only can you unlock the device and approve App Store purchases with it, but also use it to protect content in a growing list of compatible third-party applications.

An attacker would have to possess considerable skills, have access to the pricey equipment and the resources to pull off such a feat. Fortunately, that’s outside the realm of the average user who has a limited skill set and basic knowledge of biometric security.

[VentureBeat]

Image top of post: Gizmodo.