back to article German minister fingered as hacker 'steals' her thumbprint from a PHOTO

Security researchers claimed to have cloned the thumbprint of the German Defense Minister by photographing her hand at a press conference. In a presentation at the annual Chaos Computer Club hacker gathering in Hamburg, Germany, biometrics specialist Jan Krisller – known in the community as "Starbug" – explained how he'd taken …

  1. Anonymous Coward
    Anonymous Coward

    In the 1990's

    I worked someplace that shall remain nameless that basically demonstrated this to collect fingerprints off objects from across the room. The limiting issue one has to deal with isn't image resolution nor whether the surface is normal to the field of view or whether it's curved. The issue is contrast.

  2. Anonymous Coward
    Anonymous Coward

    Real Security systems

    that use a fingerprint reader are also looking for a heartbeat and finger temperature to prevent the "gummybear" attack. Retina Scanners have nothing to do with the Iris, it is all about the pattern of live blood vessels in the RETINA. This methodology is almost impossible to fool. Custom contact lenses with a good representation of the IRIS will fool many iris scanners.

    The fingerprint "reader" in ANY phone (and most PC's) does NOT offer ANY "Real Security". A strong password is more "secure".

    1. Anonymous Coward
      Anonymous Coward

      Re: Real Security systems

      Those are still easy to fool. Instead of using a gummy bear you use a very thin sheet of flexible material that is affixed to a living thumb. Presto, pulse and temperature present and it wouldn't even look strange to someone who saw you since you'd put your thumb in the reader normally. Alternatively, it wouldn't be difficult to heat up a gummi bear and add a slight pulse to it.

      Fingerprints are simply not something anyone should trust for a "Real" security system. A scanner that detects the live blood vessels in the eye would be harder to fool, well above the casual attacker, but this data is on file for anyone who visits an optometrist for yearly eye exams. For the less than casual attacker, breaking into your doctor's office and getting this information to allow them to build a false eye is doable if the secrets your eye unlocks were valuable enough.

      In order to make biometrics secure, you need a couple guards on hand to check ID (and hopefully recognize you) and make sure you look into the scanner with your actual eye.

      1. Dan Paul

        Re: Real Security systems

        Most of the time this is really about the "casual" attacker who does not have the resources to obtain your optometrists info. Fingerprints are somewhat secure if combined with a second factor like a strong password. However, the cheap fingerprint readers that are provided by typical phone and computer manufacturers are completely insufficient. "Secure" fingerprint readers are very expensive. You got exactly what you didn't pay for.

        Few if any are going to try to make a fake eye and present it to a retina scanner. Most of the good retina scanners out there are looking for a living retina with the same pulse and temperature that a good fingerprint reader will look for.

        Both technologies are evolving and will only get better. But the fact remains that a fingerprint reader alone is not a panacea to the security problem

      2. Michael Wojcik Silver badge

        Re: Real Security systems

        In order to make biometrics secure

        Nothing makes biometrics "secure", because security isn't an absolute condition; it's always relative, and then only within the framework of a threat model.

        And some of the security problems with biometrics are essential. Employing part of a user's body as a key has some really bad failure modes.

    2. The Axe

      Re: Real Security systems

      As you say, a phone's reader is not secure - Apple's broken with a silicone mould and graphite as shown here -> https://www.youtube.com/watch?v=2u4ZLGsw1zo

      1. Mike Bell

        Re: Real Security systems

        Any security system can be circumvented with enough determination and effort. Beating the PIN out of a victim is a darned sight easier than fabricating a false fingerprint. I've not heard of a single instance where Apple's fingerprint reader has been put to criminal use, probably for this reason.

        1. asdf

          Re: Real Security systems

          >Beating the PIN out of a victim

          Except for the fact most cell phones are left behind/stolen with the owner no where to be found. Also generally there is less jail time for nicking a handy and even committing fraud than kidnapping and assault.

        2. cortland

          Re: Real Security systems

          "... the Obama administration report showed that federal government agencies spent $10 billion on information security. The biggest culprits, experts say, are human error and a patchwork of different systems. Billions of dollars in security can't stop an employee from clicking a malicious link."

          http://www.cnn.com/2014/12/19/politics/government-hacks-and-security-breaches-skyrocket/

          Note also, that it's easier to buy, bribe, blackmail (e.g.: honeypot) convince or turn an operator than electronically intercept his work. Nothing fancy about the Snowden etc capers.

          See http://en.wikipedia.org/wiki/List_of_American_spies#Americans_who_spied_for_foreign_countries

    3. Doctor_Wibble

      Re: Real Security systems

      > Retina Scanners have nothing to do with the Iris, it is all about the pattern of live blood vessels in the RETINA.

      The difference between the two is nigh-on impossible to get across to the public - this is an old problem, recalling the multi-forwarding of the hideously incorrect "scan of the back of your eye" email 10+ years ago which still makes me cringe to see because the whole point of having a researcher is that you ask them to check your facts instead of giving your opponent an easy opportunity to dismiss your argument as poorly-informed.

      I have calmed down a lot more recently so the sight of it no longer induces a 'qwerty forehead'.

  3. LDS Silver badge
    Joke

    Hope this doesn't lead to...

    ..devices requiring you to use body parts not commonly shown to the public to get access....

    1. Anonymous Coward
      Anonymous Coward

      Re: Hope this doesn't lead to...

      Leading to many millennials getting rejected for a security clearance down the road because their 'privates' were made public on Snapchat at age 16...

    2. LoPath

      Re: Hope this doesn't lead to...

      Bring in Beulah Balbricker. "That tallywhacker had a mole on it. And that mole is the key to it."

    3. Frankee Llonnygog

      Re: Hope this doesn't lead to...

      Our office already does that. We all have a buttock-scan every Xmas

    4. RISC OS

      Re: Hope this doesn't lead to...

      It needs to be 2 factor... so you fingerprints will need to be found on your body part

  4. Paul J Turner
    Thumb Up

    Now is the time...

    to buy shares in glove companies.

  5. Oldfogey

    Surely......

    ...... the best way to prevent your prints being copied would be to wear false latex fingerprints over your real ones - system recognition of the falsies to trigger an alarm!

    1. RISC OS

      Re: Surely......

      What alll the time? Ad maybe wear a fat suit and a mask so people can't recognise you in photos too

  6. Anonymous Coward
    Headmaster

    nit-picking time...

    ...in British English, it's spelled "defence". Note the 'c'.

    1. Robert Helpmann??
      Childcatcher

      Re: nit-picking time...

      ...in British English, it's spelled "defence". Note the 'c'.

      As noted, the quibble is lousy. It is interesting to note that we Americans sided with the French on this word's spelling.

    2. Anonymous Coward
      Anonymous Coward

      Re: nit-picking time...

      Funny, it's spelled the same way in Ebonics.

  7. Frumious Bandersnatch

    "but you'll need to speak German to appreciate it."

    Why? Is it laced with specifically-Teutonic humour?

    (automatic translation does exist and is quite good these days)

    1. Christian Berger

      Re: "but you'll need to speak German to appreciate it."

      Plus there's a good chance this talk was live interpreted into English. Just check for any secondary audio tracks. (Yes at the CCC we are that nice :) )

    2. Anonymous Coward
      Anonymous Coward

      Re: "but you'll need to speak German to appreciate it."

      > Teutonic humour?

      That's no laughing matter, Sir.

      1. Anonymous Coward
        Anonymous Coward

        Re: "but you'll need to speak German to appreciate it."

        Right, they are not laughing.

    3. DavCrav Silver badge

      Re: "but you'll need to speak German to appreciate it."

      "(automatic translation does exist and is quite good these days)"

      I started writing that Google translate (as an example) isn't great, although it is much better than it was, but I tried it for the first time in a while on some German and you can get the drift most of the time. I took the first article from Der Spiegel, which is on Internet food delivery. The first two paragraphs are translated reasonably well, and the third is a bit more comedy:

      Sind diese Sorgen berechtigt oder sind die Lieferdienste eine gute Alternative zum stressigen Supermarktbesuch? Zehn SPIEGEL-ONLINE-Mitarbeiter haben im Selbstversuch jeweils einen Anbieter getestet und sich Waren nach Hause in die Stadt oder aufs Land liefern lassen. Dazu bekam jeder Tester denselben Einkaufszettel. Am Ende haben wir die Online-Lieferdienste dann noch dem Offline-Vergleich unterzogen und einen Tester mit der Einkaufsliste zu Aldi geschickt.

      And its translation:

      Are these concerns justified or are the delivery services a good alternative to stressful supermarket visit? Ten SPIEGEL ONLINE employees each have tested a provider self-experimentation and have goods delivered to their homes in the city or the country. For this purpose, each probe was the same shopping list. In the end we have the online delivery then subjected to the offline comparison and sent a tester with the list of Aldi.

      Selbstversuch, which means self-experimentation, can also be translated, particularly here, as for ourselves.And so on.

    4. Irongut

      Re: "but you'll need to speak German to appreciate it."

      Automatic translation does exist but it is generally crap at dealing with even the basics of a technical subject, let alone this kind of text. I read a German motorsports site regularly and Google translate gets the order of words in the English translation wrong more often than not. Often it says the opposite of what the author meant. Fortunately I can usually tell by context when that happens and retranslate in my head.

      Then there are those long German compound nouns that Google just refuses to translate.

      Yup automatic translation does exist, but its crap.

  8. Anonymous Coward
    Anonymous Coward

    probably good enough

    to lay finger prints at a crime scene or over a set of chi|d p0rn photographs?

  9. willi0000000

    my laptop

    won't read my own prints about 70% of the time depending on the weather, the number of days since i used a hand cream, sunspots or the machines mood (usually bad) . . . i just use a sufficiently strong password so i won't remember it two days later . . . necessitating a half-hour session trying to get the never to be sufficiently damned thing to work.

    [i think it never actually reads anything, it just gets tired of the joke and lets me in out of pity]

  10. Robin Bradshaw

    English translation here

    You can watch the talk with an English audio translation here:

    The folks who do the videos at the CCC are awesome :)

    https://www.youtube.com/watch?v=VVxL9ymiyAU

  11. Anonymous Coward
    Anonymous Coward

    So how does he know that it's really like hers? Has he tested it? Can he use it access something that requires her fingerprint?

    1. D@v3

      useable print

      I did wonder that myself.

      The article states "was able to use to unlock an iPhone", but then goes on to say

      "The key question, however, is whether the thumbprint matches Minister von der Leyen's actual digit – and she's unlikely to offer herself up to check."

      Which leads me to believe (perhaps incorrectly) that to test it, he used the fake print to set the touchID pattern on his phone, and to also unlock it 'proving' it works, or (very unlikely) that he asked her if he could borrow her phone for a few seconds.

      Which (to me at least) only proves that he was able to fabricate a pattern that would be accepted by the sensor, when placed over a finger (to provide the previously mentioned heat/pulse), not, that he has been able to clone someone's prints from a photo.

    2. David Pollard
      Pint

      Maybe they did tests

      Given the thoroughness with which the CCC approaches these issues I imagine that they did various tests with their own 'phones and prints to discover how effective the technique is. Pint for good effort all round, including their video mentioned above.

  12. Slap

    Teutonic humour

    F: Warum gibt es keine Apotheken im Dschungel?

    A: Weil es gibt keine Leute da, nur Affen, und Affen haben kein Geld um Medikamente zu kaufen. Deshalb macht es keinen geschäftliches Sinn ein Apotheke dort zu öffnen.

    Grammatical errors aside, my compatriots are aside themselves laughing themselves silly with this one.

    Who says us Brits can't get German humour.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021