A Photograph Can Help Fool Your Phone’s Fingerprint Sensor

Well, several photographs, really
Fingerprint hack
German security expert Jan Krissler demonstrates creating a fake fingerprint at the 31st annual Chaos Computer Club meeting.

We already knew it was possible to trick a fingerprint sensor — such as the Touch ID system on the iPhone — into believing that you’re the owner of said phone. Now, a German hacker has shown that it’s possible to acquire a fingerprint simply from a photograph of the digit in question.

Presenting at the 31st annual Chaos Computer Club conference in Hamburg, Germany, Jan “Starbug” Krissler demonstrated how he created a fake fingerprint of the country’s Minister of Defense, Ursula von der Leyen, using a high-quality photograph from a press conference and a simple piece of commercial software called VeriFinger, which is used for building software to be utilized in fingerprint scanner hardware.

Previous hacks of fingerprint sensors have generally required either access to the finger, or the ability to lift a fingerprint from a surface such as a glass. That generally means some Mission Impossible or James Bond-style shenanigans, or being actually acquainted with the person you’re trying to hack (in which case, there are probably easier ways to get access to their phone).

However, if you’re rushing off to disable the fingerprint authentication on your smartphone, you might want to wait just a moment. Despite the impressive nature of Krissler’s feat, there are a few caveats. For one thing, reconstructing the whole fingerprint took several photographs of Von der Leyen from different angles.

For another, the chances of this vulnerability affecting the average user is pretty low; this is more of a risk for high profile people who are being actively targeted. And while Krissler suggested that his research might prompt politicians and public figures to wear gloves when making appearances—shades of the Victorian era!—this hardly presents a clear and present danger to biometric security. Fingerprint identification simply remains a more convenient method to secure one’s data than, say, a lengthy and obscure password, which many people can’t remember and so end up writing down somewhere.

Plus, you still need physical access to the target’s smartphone in order for this to work. (The original talk is in German, so it’s unclear precisely how Krissler tested that his fake fingerprint matched up to the original; presumably Von der Leyen didn’t provide her phone for the experiment.)

Of course, one would hope that people at risk of being targeted, such as Germany’s defense minister, would employ more significant security measures—such as multiple authentication factors—to secure any truly sensitive data. Then again, maybe investing in a glove-making company isn’t such a bad idea.