Hacker Demonstrates How To Fake Fingerprint Sensors Using Regular Photographs

Biometric security, such as the iPhone 6's "TouchID" fingerprint reader, is used by manufacturers like Apple Inc. for its Apple Pay digital payment service. But one hacker claims high-resolution photos are all that's needed to break in. Apple Inc.

Security researcher and self-described “hacker” Jan Krissler has demonstrated that all one might need to beat a device’s fingerprint sensor, like the one found in the iPhone 6, is access to photographs of a subject. Krissler, who is known online as “starbug,” presented his findings to the Chaos Computer Club’s annual hacker meeting this weekend.

Krissler photographed Germany’s Federal Minister of Defense Ursula von der Leyen during a public presentation in October. Combining high-resolution images he took as she moved her hands during the event, including a close-up of von der Leyen’s thumb, Krissler was able to develop a copy of her fingerprints. The hacker claims that he could then use his own copy to break into any of her accounts protected by her fingerprints, including the biometric scanners found on high-end smartphones like Apple’s iPhone and the Samsung Galaxy S5. 

Krissler has previously shown how the iPhone fingerprint scanner, which Apple calls TouchID, could be duped with a copy of someone’s fingerprints.

Apple first introduced TouchID as a way to unlock its iPhone 5S, but with the introduction of Apple Pay, now uses the fingerprint sensor to allow users to make credit card payments at thousands of retailers. While a copy of the German defense minister’s prints might reveal a chink in the armor of fingerprint readers as a verification method, to put them to use, he would also have to gain access to one of her devices. 

Krissler claimed that “politicians will presumably wear gloves” following his presentation. Experts say that fingerprint readers are imperfect security measures, and companies are already looking toward more effective forms of biometric protection.

"Biometrics that rely on static information like face recognition or fingerprints - it's not trivial to forge them but most people have accepted that they are not a great form of security because they can be faked," Alan Woodward, a cybersecurity expert from Surrey University, told BBC. "People are starting to look for things where the biometric is alive - vein recognition in fingers [for example] are also biometrics but they are chosen because the person has to be in possession of them and exhibiting them in real life."

New biometric scanners capable of reading the veins inside a person’s finger have been installed at Barclays banks in the UK, as well as at ATMs throughout Japan and Poland.

source