Out of touch ID

Fingerprints can be reproduced from publicly available photos

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

At a conference in Hamberg Germany this weekend, biometrics researcher Jan Krisller demonstrated how he spoofed a politician’s fingerprint using photos taken by a “standard photo camera.”

Krissler speculated that politicians might even want to “wear gloves when talking in public.”

The Chaos Computer Club, which put on the conference, and Krissler, who goes by Starbug, have demonstrated their ability to breach fingerprint sensors in the past. Shortly after the first Touch ID-equipped iPhone came out, the Chaos Computer Club was the first group to demonstrate that it is possible to beat Touch ID by creating a fake latex finger from a fingerprint left on glass or a smartphone screen.

Krissler claims he isolated German Defense Minister Ursula von der Leyen’s fingerprint from high-resolution photos taken during a public appearance in October using commercially available software called VeriFinger.

Although there are some advantages to a biometric access over traditional passwords — you can’t lose your fingerprint, and it can’t be phished — as the technology goes mainstream, it’s raising its own security issues. In addition to the spoofing problem, there’s a debate in the United States whether a law enforcement officer can compel you to unlock your device with your finger.

Most iOS devices now come with Touch ID, [company]Apple[/company]’s fingerprint security hardware. A recent Apple patent shows a way to beef up fingerprint reader security by adding a swipe motion.

Fingerprint readers aren’t standard on Android phones, but several devices already have them installed, and source code indicates that [company]Google[/company] has been working to add system-wide fingerprint scanning support.

5 Responses to “Fingerprints can be reproduced from publicly available photos”

  1. Actually you can lose your fingerprint and it’s easier to be forced to give up access (including by the police, they love that, a lot easier than to compel the disclosure of a PW).
    Plus the greedy industry will use biometrics to lock devices and services to a single user.They’ll need new and imaginative ways to fool consumers into it but they are good at finding ideas that brings them undeserved earnings. Your car might not start if the driver is not ensured or a service like Netflix might shift to biometrics to combat PW sharing.
    Abusive govs will use it to identify and track people.Your xbox controller might not work unless the user is registered.
    We would be better off without it.

    • Meester Unnone

      In some ways I agree but people have become accustomed to feeling entitled to things like password sharing or driving without insurance. Look, if you don’t like Netflix then don’t subscribe. And do you want to be on the road with uninsured motorists? I don’t. I understand that sometimes the risks outweigh the benefits. The car is a good example where I don’t think they should be tied to fingerprints but certainly if the car takes off without it, I wouldn’t mind being alerted that it could be stolen. Don’t throw the baby out with the bath water. Besides, biometrics have to be combined with at least one other piece of information to really be useful i.e. something you have + something you know (PIN, passphrase, etc).