Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Fingerprint security may be vulnerable to spoofs based on photos

Fingerprint security may be vulnerable to spoofs based on photos
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Dec 29, 2014, 03:04 PM
 
The European group that first demonstrated a hack of Apple's Touch ID using a fake fingerprint says it has discovered a way of recreating a fingerprint without a physical sample. The Chaos Computer Club's Jan Krissler, better known as Starbug, demonstrated the technique at the Club's recent 31st convention in Hamburg, using German Defense Minister Ursula von der Leyen as an example. Through commercial software called VeriFinger, Krissler says he was able to piece together Von der Leyen's thumbprint based on publicly-available photos of her digits.

The average person is unlikely to be affected. The main source image was a close-up of Von der Leyen's thumb from an October press conference, and most people appear in far fewer photos, especially ones with visible fingerprints. The original Touch ID hack also requires several hours at least, and initially took 30 hours to accomplish.

It still applies to modern iOS devices however, and could theoretically be used to target anyone in the public eye as long as enough photos of their hands exist. Apple -- and other companies such as Samsung -- have marketed fingerprints as inherently more secure than passwords or PINs, but the CCC data suggests that vulnerabilities do exist.
     
iBricking.com
Banned
Join Date: Dec 2007
Status: Offline
Reply With Quote
Dec 29, 2014, 04:49 PM
 
This has to be a hoax.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Dec 29, 2014, 05:39 PM
 
The CCC don't tend to hoax.
     
DiabloConQueso
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Dec 29, 2014, 06:46 PM
 
It doesn't sound too far-fetched (though it does sound quite tedious at this point in time) -- if you can recreate a fingerprint, then you can theoretically (and, apparently, practically) use that reproduction to "fool" fingerprint sensors into accepting it as valid input.

While Apple never touted the fingerprint as an absolute fool-proof security mechanism, I have to believe that it's still years ahead of pin codes and passwords in terms of difficulty to obtain.

And, when, a decade or two down the line, technology is created that allows nefarious types to lift a picture-perfect recreation of your fingerprint from a doorhandle or what-not, I'm sure we'll have moved on to ocular scanning and other more secure types of protection. For now, I still have to believe that the fingerprint, at least with today's technology, is a superior form of protection.
     
Charles Martin
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Dec 29, 2014, 07:41 PM
 
So first you have to diligently recreate the person's fingerprint based on high-resolution photos of their fingers, and then you have to get physical access to their phone. Sounds like a great plot idea for the next Bond movie, but in the real world this might possibly someday happen to one actual person who's incredibly high-value to the government ... and nobody else.

Seems to me it would actually be a lot easier to fool the person (or force the person) to use their own fingerprint and just unlock the iPhone for you.

I'm not dismissing the value of understanding a potential vulnerability, but I think we were aware that people who might be targeted by this sort of attack are also likely to be forced to unlock the iPhone. If you have their finger and you have their iPhone, then nearly anyone can be under the right circumstances made to unlock the iPhone for you. This seems like a Rube Goldberg-esque "proof of concept" exercise with little to no practical value.
Charles Martin
MacNN Editor
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 05:27 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,