Friday 19 August 2016

Touch ID hackers attempt to take things to next level, no need for physical fingerprint

Touch ID hackers attempt to take things to next level, no need for physical fingerprint



The hacker who successfully used a fingerprint captured from an iPhone to fool Touch ID now believes it may be possible to perform the same hack without needing access to a physical fingerprint.Speaking at this year’s Chaos Computer Club convention, Jan Krissler – who uses the alias Starbug – demonstrated how a fingerprint can be generated from a series of ordinary photographs of someone’s finger … 



VentureBeat reports that he demonstrated the capability by photographing the thumb of German Defense Minister Ursula von der Leyen, using this to generate a fingerprint …
Krissler said he used commercially available software calledVeriFinger to pull off the feat. The main source was a close-up picture of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.
It’s worth noting that at this point, Krissler has not yet demonstrated an ability to combine the two approaches by using a photographed fingerprint to fool Touch ID, and that even if he is able to do so, the attack method is non-trivial. Last year’s video demonstrating the approach showed that it required 30 hours of work to pull off the first time, and would likely take several hours subsequently.
As we noted last time, the hack requires a considerable amount of time, effort, skill and equipment, and is not something the average iPhone user need be too concerned about.
Tests performed using the hack showed that while it still worked on the iPhone 6, Apple had improvedboth the security and reliability of the sensor in the new models.

Jan Krissler World Famous Hackers Who Hack Fingerprint

Hackers can steal your fingerprint from a PHOTO: Copycat print could be used by criminals to fool security systems

Hackers have used photos to recreate the fingerprint (stock image) of a German politician
Hackers have used photos to recreate the fingerprint (stock image) of a German politician

Hackers have already proved they can bypass Apple's fingerprint scanner using a collection of household items to make a latex replica print.
And now, one expert has recreated the fingerprints of Germany’s Minister of Defence, Ursula von der Leyen, using just a photo of her.
The security researcher known as Starbug, used publicly available software called VeriFinger with photos of the finger taken from different angles.
Starbug, whose real name is Jan Krissler, told attendees of the Chaos Computer Club’s (CCC) 31st annual congress in Hamburg, Germany, how he achieved the hack.
Mr Krissler obtained a high-resolution photograph of the politician’s thumb using a ‘standard photo camera’ during a press conference.
He also used other 'good quality' photos of the politician, taken from a variety of angles.
From these images, he reconstructed an accurate thumbprint using the VeriFinger software.
This software is good enough, according to CCC, to fool fingerprint security systems.
‘These fingerprints could be used for biometric authentication,’ it wrote in a blog post.
Hackers have previously demonstrated how easily fingerprints can be stolen from an individual who has touched a shiny surface, such as a smartphone screen,
But CCC said that with ‘this knowledge there will be no need to steal objects carrying the fingerprints anymore,’ meaning that people could potential steal someone's fingerprint identity from photos posed on social networks, for example.
Starbug said: ‘After this talk, politicians will presumably wear gloves when talking in public.’
One expert has recreated the fingerprints of Germany’s Minister of Defence, Ursula von der Leyen (stock image), using photos taken at a press conference. From these images, he reconstructed an accurate thumbprint using the VeriFinger software.This software is good enough to fool fingerprint security systems
One expert has recreated the fingerprints of Germany’s Minister of Defence, Ursula von der Leyen (stock image), using photos taken at a press conference. From these images, he reconstructed an accurate thumbprint using the VeriFinger software.This software is good enough to fool fingerprint security systems

A security researcher known as Starbug, used the publicly available software, plus a variety of photos of a finger taken from different angles to replicate the fingerprint. Starbug previously hacked Apple's iPhone 5S fingerprint sensor (pictured) just two days after the phone launched in 2013
A security researcher known as Starbug, used the publicly available software, plus a variety of photos of a finger taken from different angles to replicate the fingerprint. Starbug previously hacked Apple's iPhone 5S fingerprint sensor (pictured) just two days after the phone launched in 2013
In September 2013, hackers from CCC used a photograph of a fingerprint on a glass surface, scanned it and then used a laser printer to print it onto a transparent sheet.

They then poured latex milk or white wood glue into the print pattern created by the toner onto a transparent sheet.

Once the glue had dried, they peeled off the thin latex sheet and pressed it on the scanner of the iPhone to unlock the handset, which launches two days earlier. 
During the launch, Apple claimed the new iPhone with a fingerprint sensor was 'much more secure than previous fingerprint technology.'
At the time, Starbug said: 'As we have said now for more than years, fingerprints should not be used to secure anything. 
'You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.'
CCC first published the steps taken to bypass fingerprint scanners in 2004 and they claim that it uses everyday household items - meaning anyone can do it.

In September 2013, hackers from CCC used a photograph of a fingerprint on a glass surface, scanned it and then used a laser printer to print it onto a transparent sheet to make a new print using wood glue. This technique relied on a print obtained from a glass surface (pictured) whereas the new one only needs photos
In September 2013, hackers from CCC used a photograph of a fingerprint on a glass surface, scanned it and then used a laser printer to print it onto a transparent sheet to make a new print using wood glue. This technique relied on a print obtained from a glass surface (pictured) whereas the new one only needs photos

Security expert Graham Cluely said: 'It’s worth remembering that fingerprints are not secrets.
'You literally leave them lying around everywhere you go, and they could be picked up by others.
Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect.'

Read more:

Security Impact of High Resolution Smartphone Cameras

Authors: 
Tobias Fiebig, Jan Krissler, and Ronny Hänsch, Berlin University of Technology

Tobias Fiebig, Jan Krissler, and Ronny Hänsch, Berlin University of Technology

Open Access Content
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

Abstract: 
Nearly every modern mobile device includes two cameras. With advances in technology the resolution of these sensors has constantly increased. While this development provides great convenience for users, for example with video-telephony or as dedicated camera replacement, the security implications of including high resolution cameras on such devices has yet to be considered in greater detail. With this paper we demonstrate that an attacker may abuse the cameras in modern smartphones to extract valuable information from a victim. First, we consider exploiting a front-facing camera to capture a user’s keystrokes. By observing facial reflections, it is possible to capture user input with the camera. Subsequently, individual keystrokes can be extracted from the images acquired with the camera. Furthermore, we demonstrate that these cameras can be used by an attacker to extract and forge the fingerprints of a victim. This enables an attacker to perform a wide range of malicious actions, including authentication bypass on modern biometric systems and falsely implicating a person by planting fingerprints in a crime scene. Finally, we introduce several mitigation strategies for the identified threats.