Hacker Jan Krissler, aka “Starbug,” this weekend told attendees at the 31st Chaos Computer Club convention in Hamburg, Germany, that he had replicated the fingerprints of German Defense Minister Ursula von der Leven using a standard photo camera and commercially available software from VeriFinger.
Krissler used a close-up of a photo of the minister’s thumb and other pictures taken at different angles during a press event in October.
“This is a result of the proliferation of high-resolution digital cameras, which can now capture the needed details to fool scanners,” said Rob Enderle, principal analyst at the Enderle Group.
“It showcases a vulnerability that the industry will need to address,” he told TechNewsWorld. “Typically this involves adding a sensor that can read live tissue or looks for a heartbeat.”
The Threat of VeriFinger
VeriFinger is tolerant to fingerprint translation, rotation and deformation, meaning that it can get around the limitations of partial shots of a finger among other things.
It matches flat-to-rolled, flat-to-flat, or rolled-to-rolled fingerprints reliably and accurately.
VeriFinger’s algorithm can identify fingerprints even if they are rotated, translated, deformed or have only 5-7 similar minutiae, as compared to the 20-40 similar minutiae shown by each finger.
The software’s adaptive image filtration algorithm eliminates noises, ridge ruptures and stuck ridges, even from poor-quality fingerprints.
VeriFinger is available as an SDK for developing standalone and Web-based solutions for the Windows, Linux, OS X and Android platforms.
Observations About the Hack
Biometrics relies on many assumptions, but the key ones, said Neohapsis security consultant Catherine Pearce, are these: that the thing being measured cannot be changed; that what’s being measured is a genuine attribute; and, in more secure systems, that the thing being measured is alive.
Krissler’s attack “relies on the fact that fingerprints are fixed, and breaks the last two measurements,” she told TechNewsWorld.
People leave traces of their fingerprints everywhere in the course of each day, and “previously the concern was for things we touch,” Pearce observed, “but now it’s anyone [close enough] to photograph us that can become a threat — even many years later.”
Attacks can build composite fingerprint images from a series of partial ones over a long time, Pearce pointed out. “The fact that this attack [can] be done with no direct contact and without [the attacker] necessarily having to seek out the fingerprint personally makes it scarier.”
Biometric Security Overhyped
This is not the first time hackers have defeated fingerprint authentication, at least in mobile phones.
Members of the Chaos Club hacked the iPhone 6’s Touch ID fingerprint scanner shortly after the device’s September launch.
Researchers at Security Research Labs in April bypassed the fingerprint authentication on the Samsung Galaxy S5.
In both cases, a physical copy of the user’s fingerprint was made using glue and other materials.
These concerns aren’t new. The United States National Research Council in 2010 issued a warning that biometric systems needed more work.
Krissler’s attack “highlights a key thing about biometrics — to a computer, everything is data,” Neohapsis’ Pearce remarked. “Those who control the data going into the machine will control how it perceives the world.”
The Gentle Art of Biometric Self-Defense
Biometric authentication systems typically are part of a multifactor approach that may include smartcards, passwords, personal identification numbers (PINs), RSA tokens, or cellphones in combination with a biometric scanner.
Organizations using fingerprint scanning need to ensure the multifactor approach and rotate the fingers used for identification to make it more difficult for hackers, Enderle suggested.
“Also, make sure failed scans are reported,” he said, “so a hack in progress can be identified and the fingerprint invalidated.”