Hacking

SPOTLIGHT ON SECURITY

Fingerprint Theft Just a Shutter Click Away

Ever since smartphone makers started incorporating fingerprint scanners as a means of unlocking mobile phones, the Chaos Computer Club has attacked the technology with vigor.

Not long after Apple added Touch ID to its iPhones, the German hackers demonstrated how to lift prints from a surface and create a flexible pad containing the print that could be used to break into a phone.

Now the CCC hacker known as “Starbug” has used digital photography to perform the same trick without lifting any prints at all. At a recent cybersecurity conference, Starbug demonstrated how he created the thumb print of German Minister of Defense Ursula von der Leyen from several news photos.

“After this talk, politicians will presumably wear gloves when talking in public,” Starbug said.

The process takes some effort. After finding some high-resolution photos, the fingerprint needs to be outlined on tracing paper, copied onto a plastic board, covered with graphite, then coated with wood glue to create the pad containing the print. The materials to perform the operation can be assembled for about US$200.

‘Holy Cow’ Moment

While Starbug may have created something that looks like the defense minister’s fingerprint, one expert questioned other claims made by the hacker.

“If he can take that fingerprint to a scanner at the Ministry of Defense and make that scanner think he’s the minister of defense, then he has done something, but I don’t believe he’s done that,” said Chace Hatcher, CEO of Diamond Fortress.

“The Chaos Computer Club is suffering from what it accuses the biometric industry of suffering from: hyperbole,” he told TechNewsWorld.

“The Chaos Computer Club is pointing out weaknesses in the system, and that’s a necessary and admirable thing, but this isn’t the ‘Holy Cow’ moment Starbug purports it to be,” Hatcher said. “The idea that public officials are going to start wearing gloves because of this is ludicrous.”

Fingerprints From Selfies?

Given the number of selfies posted to the Internet every day, should we start worrying about hackers lifting our fingerprints from those images?

“Most ordinary photographs are not high-resolution enough to detect all the necessary ridges in a fingerprint,” said Harry Sverdlove, CTO of Bit9 + Carbon Black.

Even if a high-resolution photo were posted to a social media site, it’s unlikely it could be used for capturing fingerprints.

“When posted online on social media sites, images are typically compressed or reduced in quality,” Sverdlove told TechNewsWorld.

Social media is better used to make educated guesses about a person’s security questions than for capturing their fingerprints, he observed.

“Biometrics is a nice additional layer to other security measures like passwords and smart cards, but it has its limitations,” added Sverdlove. “Not only can things like fingerprint and facial recognition sensors be fooled, but unlike other forms of security, biometrics cannot be easily changed. A person cannot easily change his or her fingerprint.”

Notching Up Creepy

Biometrics should not be used alone to authenticate a person’s identity, said Catherine Pearce, a security consultant with Neohapsis.

“This is especially true if it is also the means of identification,” she told TechNewsWorld.

“Each time you use a password, it becomes a little less secret and a little less secure,” said Pearce. “Fingerprints now also become less secure over time, but we can’t change them. This is why most biometric systems are multiple factor, such as a password and a fingerprint, because at least you can change a password if it becomes compromised.”

Lifting fingerprints from a surface and using them to defeat scanners is creepy, but Starbug has taken that creepiness to another level, in Pearce’s view.

“The fact that this attack is able to be done with no direct contact makes it scarier,” she said.

“Previously, the concern has been for things we touch,” Pearce noted, “but now it’s anyone within enough distance to photograph us that can become a threat.”

Breach Diary

  • Dec. 28. Chaos Computer Club demonstrates how to create fingerprints from high-resolution photos of any person.
  • Dec. 29. National Credit Union Association Inspector General James Hagen announces audit of agency following theft from one of its examiners of a thumb drive containing information on members of the Palm Springs Federal Credit Union.
  • Dec. 29. Experian, in its Second Annual Data Breach Industry Forecast, predicts data breaches will cost the healthcare industry $5.6 billion in 2015.
  • Jan. 1. In wake of DDoS attack on PlayStation Network, Sony offers members free membership extension of five days, and one-time 10 percent discount on a cart purchase from the PlayStation Store.
  • Jan. 1. Yomiuri Shimbun, citing confidential sources, reports that 99 percent of 650,000 bitcoins stolen from Mt. Gox exchange could be attributed to internal system manipulation and not external attack.
  • Jan. 2. Chick-fil-A alerts customers it is investigating possible data breach at several of its restaurants. If a data breach has occurred, it said, fraudulent charges will be picked up by the banks issuing the payment cards involved or by the fast food retailer. Free identity theft protection also will be provided to any affected customers, it added.

Upcoming Security Events

  • Jan. 19. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: $20.
  • Feb. 4-5. Suits and Spooks. The Ritz-Carlton, Pentagon City, 1250 South Hayes Street, Arlington, Virginia. Registration: $675.
  • Feb. 6-7. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
  • Feb. 10-12. International Disaster Conference and Exposition (IDCE). Ernest N. Morial Convention Center, New Orleans. Registration: government, nonprofit, academia, $150; private sector, $450.
  • Feb. 11. SecureWorld Charlotte. Harris Conference Center, Charlotte, North Carolina. Open sessions pass: $25; conference pass: $165; SecureWorld plus training: $545.
  • Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
  • Feb. 21. B-Sides Tampa. The Museum of Science and Industry, 4801 E. Fowler Ave., Tampa, Florida. Free.
  • Feb. 21. B-Sides Indianapolis. DeveloperTown5255 Winthrop Ave., Indianapolis, Indiana. Fee: $10.
  • March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
  • March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: $25; conference pass: $295; SecureWorld plus training: $695.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels