Politician’s fingerprint reproduced using photos of her hands
At a Chaos Computer Club convention, hacker Starbug suggests notable people wear gloves.
Last week at a Chaos Computer Club (CCC) convention in Hamburg, Germany, German hacker Starbug claimed he reproduced a fingerprint belonging to German Defense Minister Ursula von der Leyen using nothing but some commercially available software and a number of high-resolution photos of her hand.
Starbug, whose real name is Jan Krissler, said that he used a close-up photo of von der Leyen’s thumb that was taken with a “standard photo camera” at a press conference from a distance of three meters (about 10 feet). He also used several other pictures of her thumb which had been taken from different angles at different times. Then, according to VentureBeat, Starbug used a program called Verifinger to recreate the print.
Fingerprint readers like those that are commonly found on more recent iPhone models have been hacked in the past. Starbug himself is famous for circumventing Apple’s Touch ID in just 48 hours—and he spoke to Ars about the feat at length in an interview. But recreating a fingerprint with just a photo takes a well-known hack a step further. On CCC’s website, the group described the conclusions of Starbug’s most recent hack: “In the past years, it was successfully demonstrated a number of times how easily fingerprints can be stolen from [their] owner if a person touched any object with a polished surface (like glass or a smartphone)… With this knowledge [of recreating fingerprints from photos] there will be no need to steal objects carrying the fingerprints anymore.”
“Politicians will presumably wear gloves when talking in public,” Starbug told the audience according to the BBC.
Fingerprints have been favored in the past as biometric identifiers, but because fingerprints can be reproduced, some security experts have recommended biometric keys that are less dependent on a single aspect of a person’s body. For example, earlier this month researchers were able to identify people using only video shot from a camera on a fixed point on their body by recreating defining characteristics of the target person’s gait. Vein pattern analysis is also considered a potential way to identify a person without leaning on an outwardly identifiable physical trait.
Even if these more complicated biometric keys were more widely implemented, it’s uncertain whether they would be protected from the reach of the law. Earlier this year, a Virginia Circuit Court judge ruled that police can make a suspect unlock his or her phone with only a fingerprint, whereas forcing someone to unlock a phone with a passcode is a violation of the Fifth Amendment. As Ars’ sister site Wired explained some months ago, “A communication is ‘testimonial’ only when it reveals the contents of your mind. We can’t invoke the privilege against self-incrimination to prevent the government from collecting biometrics like fingerprints, DNA samples, or voice exemplars. Why? Because the courts have decided that this evidence doesn’t reveal anything you know. It’s not testimonial.”