News Feature | February 4, 2015

Can Biometric Technology Fight Back From Hacks With Fingerprint Photos?

Christine Kern

By Christine Kern, contributing writer

Fingerprint

It turns out that hackers have figured out how to get past biometric fingerprint authentication by using photographs of a subject’s fingers and fingerprint identification software, according to Tech News World. But does this mean the idea of using the technology for secure authentication is over?

In September, hacker Jan Krissler, aka “Starbug,” announced that he and members of the Chaos Computer Club had successfully bypassed the biometric security found on Apple’s TouchID “using easy everyday means.” The blog post asserted that he used a photograph of the user’s fingerprint, found on a glass surface, to create a fake finger that was then able to unlock an iPhone 5S that used TouchID. 

Frank Rieger, spokesperson of the CCC, said in the blog post. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

VentureBeat reported that Starbug demonstrated the capability by photographing the thumb of German Defense Minister Ursula von der Leyen, using a commercially available software called VeriFinger to generate a fingerprint. The main source was a close-up picture of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.

An HITB Conference presentation by Marc Rogers also investigates the limitations of biometrics as a secure means of protecting access to sensitive data.  Citing a 2000 paper titled “Biometric Fingerprint Recognition: Don’t Get Your Fingers Burned,” Rogers explains how biometrics can be “fooled” by cloned fingers because fingerprint sensors do not test for liveness. He also referenced attempts by hackers Ton van der Putte, Tsutomo Matsumoto, and Starbug to bypass the technology, concluding that biometrics are “broken” and suggests that they be used only in conjunction with other security features like user configurable timeouts, duress codes, and user configurable attempts.   

However, according to 9to5Mac, we shouldn’t be rushing to dump TouchID. Although the club states that the hack could be performed with “materials that can be found in almost every household,” the article goes on to say that the process requires a 2400 dpi resolution photograph of the fingerprint.

And, at this point, 9to5Mac points out, Krissler has not yet demonstrated an ability to combine the two approaches by using a photographed fingerprint to fool Touch ID, and that even if he is able to do so, the time it takes is not inconsequential. Last year’s video demonstrating the approach showed that it required 30 hours of work to pull off the first time, and would likely take several hours subsequently.

However, with the expanding capabilities of high-resolution digital cameras that can fool scanners, some experts suggest that the industry will need to address this vulnerability through adding sensors that read live tissue or monitor for a heartbeat before authenticating.

“This is a result of the proliferation of high-resolution digital cameras, which can now capture the needed details to fool scanners,” Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.

“It showcases a vulnerability that the industry will need to address,” he said. “Typically this involves adding a sensor that can read live tissue or looks for a heartbeat.”