 |
 |
Fingerprint security may be vulnerable to spoofs based on photos
|
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
The European group that first demonstrated a hack of Apple's Touch ID using a fake fingerprint says it has discovered a way of recreating a fingerprint without a physical sample. The Chaos Computer Club's Jan Krissler, better known as Starbug, demonstrated the technique at the Club's recent 31st convention in Hamburg, using German Defense Minister Ursula von der Leyen as an example. Through commercial software called VeriFinger, Krissler says he was able to piece together Von der Leyen's thumbprint based on publicly-available photos of her digits. The average person is unlikely to be affected. The main source image was a close-up of Von der Leyen's thumb from an October press conference, and most people appear in far fewer photos, especially ones with visible fingerprints. The original Touch ID hack also requires several hours at least, and initially took 30 hours to accomplish.
It still applies to modern iOS devices however, and could theoretically be used to target anyone in the public eye as long as enough photos of their hands exist. Apple -- and other companies such as Samsung -- have marketed fingerprints as inherently more secure than passwords or PINs, but the CCC data suggests that vulnerabilities do exist.
|
|
|
| |
|
|
|
|
|
|
|
Banned
Join Date: Dec 2007
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
The CCC don't tend to hoax.
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Jun 2008
Status:
Offline
|
|
It doesn't sound too far-fetched (though it does sound quite tedious at this point in time) -- if you can recreate a fingerprint, then you can theoretically (and, apparently, practically) use that reproduction to "fool" fingerprint sensors into accepting it as valid input.
While Apple never touted the fingerprint as an absolute fool-proof security mechanism, I have to believe that it's still years ahead of pin codes and passwords in terms of difficulty to obtain.
And, when, a decade or two down the line, technology is created that allows nefarious types to lift a picture-perfect recreation of your fingerprint from a doorhandle or what-not, I'm sure we'll have moved on to ocular scanning and other more secure types of protection. For now, I still have to believe that the fingerprint, at least with today's technology, is a superior form of protection.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status:
Offline
|
|
So first you have to diligently recreate the person's fingerprint based on high-resolution photos of their fingers, and then you have to get physical access to their phone. Sounds like a great plot idea for the next Bond movie, but in the real world this might possibly someday happen to one actual person who's incredibly high-value to the government ... and nobody else.
Seems to me it would actually be a lot easier to fool the person (or force the person) to use their own fingerprint and just unlock the iPhone for you.
I'm not dismissing the value of understanding a potential vulnerability, but I think we were aware that people who might be targeted by this sort of attack are also likely to be forced to unlock the iPhone. If you have their finger and you have their iPhone, then nearly anyone can be under the right circumstances made to unlock the iPhone for you. This seems like a Rube Goldberg-esque "proof of concept" exercise with little to no practical value.
|
|
Charles Martin
MacNN Editor
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top