Hacker Exposes Flaw in Fingerprint Security Systems

Brandon Dimmel's picture

To many, the use of fingerprint readers as a way of password protection may represent the future of high-tech security. But a hacker has recently demonstrated that it's really not that difficult to bypass the security system -- all it takes, in fact, is a high-quality digital image.

There's no denying that fingerprint passwords are becoming more and more common. They can be used to access PCs and thumb drives, but are becoming most prevalent in the smartphone world, where a quick dab of the finger gives one access to their mobile device.

It seems like the perfect security system; after all, every fingerprint is different. It also takes a whole lot less time to simply touch a screen to gain access to a system, rather than enter a long and complicated passcode comprised of letters, numbers, and symbols.

Hacker Obtains Government Official's Biometric Data

But Germany-based hacker group The Chaos Computer Club has now revealed that there's an easy way to get around fingerprint protection. At last weekend's Chaos Communication Congress, Jan Krissler (known online as 'Starbug') took attendants through the process of copying the fingerprints of Ursula von der Leyen, Germany's Minister of Defense.

Krissler simply photographed the minister while she gave a speech. Using zoom technology, Krissler was able to capture images of the minister's fingerprints, which he then analyzed to gather her biometric data. Krissler says he could use this data to gain access to any device protected using the minister's own fingerprints.

"After this [demonstration], politicians will presumably wear gloves when talking in public," Krissler chuckled. (Source: pcmag.com)

Hack Casts Doubt On Fingerprint Protection

The good news is that such a hack cannot take place by remote. In other words, hackers would need access to a physical device intended to hack. But it is proof that fingerprint protection -- like the system used by the widely popular Apple iPhone 5S and Samsung Galaxy S5 -- is hardly the future of tech security. "This demonstrates ... that fingerprint biometrics is unsuitable as [an] access control method and should be avoided," the Chaos Computer Club said.

An alternative to fingerprint protection may be finger vein recognition, a system introduced by United Kingdom-based Barclays bank in September 2014. So far the system is only available to Barclays business customers, though cash machines in other parts of the world -- including Japan and Poland -- are currently testing the platform. (Source: bbc.com)

What's Your Opinion?

Do you use fingerprint protection, and if so, are you concerned about its ability to protect your data? Do you have a theory about the methods we will be using to protect our favorite devices in the future? Or do you think the old-fashioned passcode is here to stay?

Rate this article: 
Average: 5 (5 votes)

Comments

clay_3833's picture

This is a good reminder about being cautious and the method of obtaining the finger print was clever, but this is hardly "the sky is falling" news. Yes, if you have the finger print image you can get in, but finger print recognition is hugely more safe for the average user and I don't see anything about this that changes that.

Dennis Faas's picture

I've been using a fingerprint reader for a few years now (Eikon Solo) with my PC and it's a huge time saver - plus it integrates extremely well with Roboform which manages all my website passwords. The one I have requires you to glide the finger across two metal strips to complete a 'swipe', which is much different than the ones on smartphones.

I agree that the hack mentioned in the article is unlikely to take place, but it is still interesting, nonetheless. If they actually did manage to gain access to a secure system using a camera to lift the fingerprint, that might be a different story. But for now I think it's largely theoretical.

telfer_3851's picture

When I went to their site via Google, it showed they only support XP and Vista???

Dennis Faas's picture

When I purchased the Eikon Solo adapter it was $20 from Amazon. I believe that Upek was bought out by Authentec in 2010. You might want to search for another one as the ones listed on Amazon.com are way overpriced.

JeffRL's picture

If they can get an image of something as subtle as a fingerprint that way, I wonder what they could do with retinas, if not yet, then as a future development of their technique.

plamonica_3840's picture

The fingerprint system used on the iPhone is old tech at best and proven to be a poor implementation long ago. The scan is only as good as the number of contact points recorded. If you are only recording 4 points its easy to fake, record 40000 points and good luck, 4000000 and...well you see where this is going.

rcprimak's picture

Retina Scan technology has so far not been faked, but when they say "retina scan" most manufacturers are really using the much cheaper Iris Scan technology. Iris scanning is simply a method of taking a photo of the iris and comparing it point for point with a reference image. This can be faked by holding up a photograph of the real iris in front of the authenticating device, which then can't tell the difference with a real iris from the same person. Same issue as using images of fingerprints to fake out fingerprint readers. No real difference in security.

Real retina scanners are very expensive, and do rely on detecting the blood vessel patterns of live retinas. They are very difficult to fool, but there are problems. Most frequently, the reference images must be updated as people's retinas change over our lifetimes, through diseases and natural aging of the retinas over time.

One secure two-factor authentication scheme simply requires a cell phone for receiving a SMS message, or even a land-line phone for verifying an additional login PIN. Credit cards are now employing (as of late-2015 in the US) a chip technology to provide a unique per-transaction code which can't be cloned or skimmed. Also, USB FOBS like YubiKey are being tried out by Google and other sites to provide the second factor. YubiKey's firmware is secure and signed, and the FOB itself can be used to control physical device access or the log into secured accounts without the need to remember a password.

All of the above are only as secure as the databases within which the reference data are stored. If these databases aren't encrypted, hashed and salted, all the benefits of two-factor authentication are out the window. Recent data breaches reveal that there are still way too many site operators and businesses which do not adequately protect their own internal databases from hacking. Site, company and store operators are responsible for their own internal security, or else they may face lawsuits and other expenses related to ID theft. The Sony case points out that in addition to ordinary hacking, we must also take into consideration State-Sponsored cyber-attacks. This applies even to non-government companies and sites.

PINs and passwords aren't going away, but in combination with two-factor methods, authentication can be made more secure.

Some IT Guy's picture

IMHO, it is fine for the everyday user of technology. Most organized hacking criminals (emphasis on CRIMINALS) are going to go after high profile targets, like the example in the article. But for the average everyday use of computers, phones, tablets, etc., it is a useful tool for providing security to data. It is also only one layer of security, where most organizations would be better off having several types of cyber security in place.