Reg comments56

German minister photo fingerprint 'theft' seemed far too EASY, wail securobods

Security industry fear after apparent digit sig nickery

Claims that fingerprints can be cloned from pictures are being taken seriously by security experts, who argue that any possible hack underlines the fragility of the biometric technique.

Hacker Jan "Starbug" Krisller cloned the thumbprint of the German Defence Minister Ursula von der Leyen after photographing her hand at a press conference.

During a presentation at the annual Chaos Computer Club hacker conference in Hamburg, Krisller explained how he used commercial fingerprint software from Verifinger to map out the contours of the minister's thumbprint from the hi-res image taken using a telephoto lens.

Krisller previous credits include successfully defeating Apple's TouchID fingerprint lock.

He applied the same technique of taking reversed images of digital photographs before using flexible materials, and laser printers to create false fingerprints.

Using a "raised ink" printing process, it’s possible to print an image on a very thin plastic surface, such as the skin of a balloon. By wearing the balloon skin over a finger, anyone can then assume the identity associated with the lifted fingerprint.

However, as previously reported it’s unclear whether the fake thumbprint matches von der Leyen's actual digit.

Fingerprint hacking is a perennial topic at the German CCC conference. The latest hack takes the earlier (confirmed) hack against the iPhone fingerprint biometric one step further, but the “principles are identical”, according to biometric security experts at Entrust Datacard.

The type of hack is possible because fingerprint biometrics are deliberately tuned to minimise false negatives - something that tends to make standalone fingerprint techniques unreliable, an Entrust Datacard security engineer (who asked to remain unnamed) told El Reg.

Remember, your fingerprints are not a secret. You leave them everywhere you go. Authentication is normally based on 'something you know', and not just 'something you have' such as a fingerprint or any other biometric.

Fingerprints in themselves are not sufficient for strong security. The best 'fingerprint' biometric systems only use a fingerprint as a reticule to align vascular system assessments [bloody vessel positioning], which are much more difficult to fake, but much more expensive to implement.

Also, remember: The biggest problem with any biometric is false negatives (legitimate person being denied access because their own biometric measurement failed). Since biometric systems by definition have to tune out false negatives, this opens the door to hackers.

Other security experts are also taking the claimed hack seriously. “Fingerprint biometrics means keeping your fingers secret,” said Chris Wysopal, co-founder of application security firm Veracode and former L0pht security researcher, in a Twitter update. ®

Sign up to our Newsletter

Get IT in your inbox daily

Biting the hand that feeds IT © 1998–2017