Hacker Clones Fingerprint From Photograph

Biometric security is under the spotlight after a hacker claimed to have “cloned” the thumbprint of the German defence minister using nothing more than commercial software and a photograph.

The development, if proven, will worry experts already concerned at the security implications of using fingerprints for authentication purposes.

Cloned Fingerprint

The fingerprint claim was made by a member of the Chaos Computer Club (CCC) hacker network. According to the BBC, Jan Krissler said he replicated the fingerprint of German defence minister Ursula von der Leyen using high res pictures taken with a “standard photo camera”.

A YouTube video of his demonstration (in German) is available here.

Krissler is also known as Starbug and was speaking at a convention for members of the CCC. He reportedly said he had no physical print from von der Leyen, but has suggested that “politicians will presumably wear gloves when talking in public” after hearing about his research.

It is not known at this stage if he managed to produce an exact replicate of the German politician’s fingerprint.

Krissler claimed to have obtained a copy of von der Leyen’s fingerprint using a close-up photo of her thumb during a press conference. He also used other pictures taken at different angles to build up her fingerprint using software called VeriFinger.

Fingerprint identification is used as a security measure on a number of mobile handsets, but for years now experts have warned that fingerprints are not particularly secure.

Fingerprint Hacks

In September for example, mobile security firm Lookout warned that the iPhone 6 could be hacked with a fake fingerprint.

Lookout revealed how a fingerprint of the phone user from a glass surface was photographed – first with 2,400 dots per inch (dpi) resolution. The image was then tidied up, inverted and laser-printed at 1,200dpi onto a transparent sheet with a thick toner setting. Next, white woodglue was smeared into the pattern created by the toner on the sheet. Once set, the print was lifted from the sheet, breathed on to add some moisture, then placed onto the sensor to unlock the phone. Lookout’s recommendation is to introduce two-factor authentication.

And earlier in the year, ethical hackers showed how simple it was to bypass Samsung Galaxy S5 fingerprint authentication. The researchers from Security Research Labs (SRLabs) re-used a fingerprint mould from their exploitation of the Apple iPhone 5S in 2013, which required “no additional effort whatsoever”. The fake print was based on a camera phone photo “of an unprocessed latent print on a smartphone screen”.

“Biometrics that rely on static information like face recognition or fingerprints – it’s not trivial to forge them but most people have accepted that they are not a great form of security because they can be faked,” cybersecurity expert Prof Alan Woodward from Surrey University was quoted by the BBC as saying.

“People are starting to look for things where the biometric is alive – vein recognition in fingers, gait [body motion] analysis – they are also biometrics but they are chosen because the person has to be in possession of them and exhibiting them in real life,” he reportedly said.

Love security? Try our quiz!