Public photos: Hacker's newest choice

The findings of a member of the Chaos Computer Club (Europe’s version of the US’ Cult of the Dead Cow) could prove quite problematic for any biometric tech. The hacker simply used the picture of Ursula von der Leyen, Germany’s defense minister taken at a press conference in order to reproduce her fingerprints. He didn’t need a close-up macro of the minister’s hand.

He just needed an ordinary picture. This could be a serious breach in security if the German government is in the habit of using biometric access control systems.

Jan ‘œStarbug’ Krissler ‘“ the said hacker ‘“presented his discovery at the Chaos Communication congress. He demonstrated how relatively easy it is to reproduce someone’s fingerprint. He used several pictures of von der Leyen’s thumb from various press conferences by rebuilding them via the commercially available VeriFinger software. Next, he proceeded to reproduce a real-world dummy of the minister’s thumb. He printed a mask which he exposed early in order to create a negative of the print. Then he filled the negative with wood glue, thus having created positive fingerprint.

When tested, this technique proved to fool Apple’s TouchID and should anything happen to the minister’s iPhone which would result in Starbug finding it, van der Leyen could be in a lot of trouble.

Below, you can find the Chaos Communication Congress’ entire conversation in German. However the PowerPoint presentation is fairly easy to follow.

Fingerprint recognition technology has flourished in the last decade, first introduced in laptops and most recently in the newest iPhones and Galaxy S5.

The main issue is that fingerprint recognition is not as reliable as people might think. Quite often, they can give false positives, false negatives, and multiple readings of the same print give different results. Regarding biometrics and forensics, fingerprint recognition is a good option as opposed to having nothing at all. However there is a very good reason why security and forensic companies and communities are distancing themselves more and more from them. The better, more reliable option regarding forensic identification is DNA sequencing and ‘œliving’ biometrics (vein matching and gait analysis) for access control.

The reason why ‘œliving’ biometrics are a far better choice than any is that it does not work if the person is no longer breathing, as its name implies. In a similar fashion, vein matching does not function if the heart is no longer pumping. Vein matching identifies your blood’s hemoglobin flow usually through your finger. In other words, a photo of someone’s finger is utterly useless in this case, just like a criminal can’t chop off your finger in order to by-pass the system. Japan and Poland have already integrated vein matching systems in some of their ATMs. Another interesting identification is gait analysis. What this does is to identify your walking pattern via step length, width and rotation of your joints. This method might sound ridiculous but it is in fact very accurate and it will make a thief’s job that more difficult for they will require to mimic your exact walking pattern in order to gain access.

If you are currently using a fingerprint recognition software to keep your data safe, we recommend that you wear gloves in public from now on.