Hacker fakes German minister's fingerprints using photos of her hands - Jan Krissler

Jan Krissler used high resolution photos, including one from a government press office, to successfully recreate the fingerprints of Germany’s defence minister..

It’s an old cliché of security researchers: fingerprints might appear more secure than passwords. But if your password gets stolen, you can change it to a new one; what happens when your fingerprint gets copied?

That’s no longer an abstract fear: a speaker at the Chaos Communication Congress, an annual meeting of hackers in Germany, demonstrated his method for faking fingerprints using only a few high-definition photographs of his target, German defence minister Ursula von der Leyen.

Jan Krissler, known in hacker circles as Starbug, used commercial software calledVeriFinger and several close-range photos of von der Leyen, including one gleaned from a press release issued by her own office and another he took himself from three meters away, to reverse-engineer the fingerprint.

Advertisement

“After this talk, politicians will presumably wear gloves when talking in public,” he joked.

Also reported at the conference was another security hole seemingly straight out of science-fiction: a so-called “corneal keylogger”. The idea behind the attack is simple. A hacker may have access to a user’s phone camera, but not anything else. How to go from there to stealing all their passwords?

One way, demonstrated on stage, is to read what they’re typing by analysing photographs of the reflections in their eyes. Smartphone cameras, even front-facing ones, are now high-resolution enough that such an attack is possible.

Starbug is no stranger to taking on biometric security. In a high profile stunt in 2013, he spoofed Apple’s TouchID sensors within 24 hours of the release of the iPhone 5S. Using a smudge on the screen of an iPhone, he printed a dummy finger using wood glue and sprayable graphene, which successfully unlocked a phone registered to someone else’s thumb.

For that hack, he had to have physical access to the phone he stole the fingerprint from, in order to get a high resolution scan of the print. His latest demonstration suggests that it may be possible to unlock a phone using a fingerprint stolen without ever touching a person or their property – although actually getting hold of the phone is still needed for the last stage, of actually unlocking it.

The increasing number of successful attacks against biometric identification has led to some security researchers advising that people change the way they think about security measures such as fingerprints and photo ID. Rather than treating them as a replacement for passwords, they should instead be used as a second factor of authentication, or even as something similar to a username: a publicly known piece of information which must be linked to a password before a user can log in.

As the ACLU’s Jay Stanley told the Washington Post, “Biometrics are not secrets… Ideally, they’re unique to each individual, but that’s not the same thing as being a secret.”

And Starbug agrees, telling Zeit in 2013 that “I consider my password safer than my fingerprint… My password is in my head, and if I’m careful when typing, I remain the only one who knows it.”

 Jan Krissler I Phone Hacker, Jan Krissler Touch ID hackers, 

Touch ID hackers attempt to take things to next level, no need for physical fingerprint

Touch ID hackers attempt to take things to next level, no need for physical fingerprint

The hacker who successfully used a fingerprint captured from an iPhone to fool Touch ID now believes it may be possible to perform the same hack without needing access to a physical fingerprint.Speaking at this year’s Chaos Computer Club convention, Jan Krissler – who uses the alias Starbug – demonstrated how a fingerprint can be generated from a series of ordinary photographs of someone’s finger … 

VentureBeat reports that he demonstrated the capability by photographing the thumb of German Defense Minister Ursula von der Leyen, using this to generate a fingerprint …

Krissler said he used commercially available software calledVeriFinger to pull off the feat. The main source was a close-up picture of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.

It’s worth noting that at this point, Krissler has not yet demonstrated an ability to combine the two approaches by using a photographed fingerprint to fool Touch ID, and that even if he is able to do so, the attack method is non-trivial. Last year’s video demonstrating the approach showed that it required 30 hours of work to pull off the first time, and would likely take several hours subsequently.

As we noted last time, the hack requires a considerable amount of time, effort, skill and equipment, and is not something the average iPhone user need be too concerned about.

Tests performed using the hack showed that while it still worked on the iPhone 6, Apple had improvedboth the security and reliability of the sensor in the new models.

Jan Krissler World Famous Hackers Who Hack Fingerprint

Hackers can steal your fingerprint from a PHOTO: Copycat print could be used by criminals to fool security systems

Hackers have used photos to recreate the fingerprint (stock image) of a German politician

Hackers have already proved they can bypass Apple's fingerprint scanner using a collection of household items to make a latex replica print.

And now, one expert has recreated the fingerprints of Germany’s Minister of Defence, Ursula von der Leyen, using just a photo of her.

The security researcher known as Starbug, used publicly available software called VeriFinger with photos of the finger taken from different angles.

Starbug, whose real name is Jan Krissler, told attendees of the Chaos Computer Club’s (CCC) 31st annual congress in Hamburg, Germany, how he achieved the hack.

Mr Krissler obtained a high-resolution photograph of the politician’s thumb using a ‘standard photo camera’ during a press conference.

He also used other 'good quality' photos of the politician, taken from a variety of angles.

From these images, he reconstructed an accurate thumbprint using the VeriFinger software.

This software is good enough, according to CCC, to fool fingerprint security systems.

‘These fingerprints could be used for biometric authentication,’ it wrote in a blog post.

Hackers have previously demonstrated how easily fingerprints can be stolen from an individual who has touched a shiny surface, such as a smartphone screen,

But CCC said that with ‘this knowledge there will be no need to steal objects carrying the fingerprints anymore,’ meaning that people could potential steal someone's fingerprint identity from photos posed on social networks, for example.

Starbug said: ‘After this talk, politicians will presumably wear gloves when talking in public.’

One expert has recreated the fingerprints of Germany’s Minister of Defence, Ursula von der Leyen (stock image), using photos taken at a press conference. From these images, he reconstructed an accurate thumbprint using the VeriFinger software.This software is good enough to fool fingerprint security systems

A security researcher known as Starbug, used the publicly available software, plus a variety of photos of a finger taken from different angles to replicate the fingerprint. Starbug previously hacked Apple's iPhone 5S fingerprint sensor (pictured) just two days after the phone launched in 2013

In September 2013, hackers from CCC used a photograph of a fingerprint on a glass surface, scanned it and then used a laser printer to print it onto a transparent sheet.

They then poured latex milk or white wood glue into the print pattern created by the toner onto a transparent sheet.

Once the glue had dried, they peeled off the thin latex sheet and pressed it on the scanner of the iPhone to unlock the handset, which launches two days earlier. 

During the launch, Apple claimed the new iPhone with a fingerprint sensor was 'much more secure than previous fingerprint technology.'

At the time, Starbug said: 'As we have said now for more than years, fingerprints should not be used to secure anything. 

'You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.'

CCC first published the steps taken to bypass fingerprint scanners in 2004 and they claim that it uses everyday household items - meaning anyone can do it.

• SHARE PICTURE
 
 
 
 
 

In September 2013, hackers from CCC used a photograph of a fingerprint on a glass surface, scanned it and then used a laser printer to print it onto a transparent sheet to make a new print using wood glue. This technique relied on a print obtained from a glass surface (pictured) whereas the new one only needs photos

Security expert Graham Cluely said: 'It’s worth remembering that fingerprints are not secrets.

'You literally leave them lying around everywhere you go, and they could be picked up by others.

Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect.'

Read more:

• CCC | Fingerprint Biometrics hacked again

Security Impact of High Resolution Smartphone Cameras

Authors: 

Tobias Fiebig, Jan Krissler, and Ronny Hänsch, Berlin University of Technology

Open Access Content

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Abstract: 

Nearly every modern mobile device includes two cameras. With advances in technology the resolution of these sensors has constantly increased. While this development provides great convenience for users, for example with video-telephony or as dedicated camera replacement, the security implications of including high resolution cameras on such devices has yet to be considered in greater detail. With this paper we demonstrate that an attacker may abuse the cameras in modern smartphones to extract valuable information from a victim. First, we consider exploiting a front-facing camera to capture a user’s keystrokes. By observing facial reflections, it is possible to capture user input with the camera. Subsequently, individual keystrokes can be extracted from the images acquired with the camera. Furthermore, we demonstrate that these cameras can be used by an attacker to extract and forge the fingerprints of a victim. This enables an attacker to perform a wide range of malicious actions, including authentication bypass on modern biometric systems and falsely implicating a person by planting fingerprints in a crime scene. Finally, we introduce several mitigation strategies for the identified threats.