X

Hacker claims you can steal fingerprints with only a camera

Previous attempts to copy fingerprints required specialized tools and the fingerprint itself.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
3 min read

fingerprint-photograph-chaos-computer-club.png
In a YouTube video, Jan Krissler of the Chaos Computer Club demonstrates how he faked a fingerprint with just a digital camera and software. Screenshot by Seth Rosenblatt/CNET

One hacker says he has developed a way to copy fingerprints using a common digital camera.

Jan Krissler, a member of Europe's oldest hacker collective, the Chaos Computer Club, said he accomplished such a feat at the Chaos Computer Conference on Saturday. His demonstration included creating, he claims, a digital copy of a fingerprint of Germany's federal minister of defense, Ursula von der Leyen, using commercially available software called VeriFinger.

He said he had a photographer snap high-resolution photos of von der Leyen's fingers while she was at a presentation in October -- standing nine feet away from the official. Krissler said he wasn't able to verify von der Leyen's fingerprint was accurate, but he was still confident it was a workable copy. "I have tried it with my own finger under similar circumstances (same camera, same distance)" he said in a statement to CNET.

Von der Leyen's office declined to comment. A representative said she was unaware of the demonstration.

Krissler's presentation potentially calls into question the efficacy of fingerprint scanners as a security measure. While they have been around since the 1990s in consumer technology, it was Apple's move to include a fingerprint reader, which it calls Touch ID, into the iPhone 5S that revitalized the idea of using biometric readers. Samsung and HTC quickly followed by adding fingerprint readers in select smartphones. The reader replaces the need to enter a code to unlock a device or, in the case of mobile-payments system Apple Pay, verify a purchase.

While several hackers demonstrated the susceptibility of fingerprint readers to faked fingerprints soon after Touch ID's launch, those techniques always have required physical access to the fingerprint -- until now.

Apple and Synaptics, which makes fingerprint readers used by Samsung and other hardware manufacturers for smartphones and laptops, were not available for comment.

This isn't Krissler's first tangle with fingerprints. He was one of the first to demonstrate how to fake a fingerprint with wood glue to fool the iPhone 5S. "We hope that this finally puts to rest the illusions people have about fingerprint biometrics," Chaos Computer Club spokesperson Frank Rieger said in a statement at the time. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

Since then, researchers have shown that Apple has not fixed the vulnerability to faked fingerprints used on the iPhone 6 or 6 Plus.

On the other hand, having access to a fingerprint does not immediately make a device vulnerable. Phones and tablets secured by fingerprint readers still require physical access to the device to be unlocked, and at least on iPhones with Touch ID, after two days of non-use the phone will require the owner to enter the passcode to unlock the device -- not just the fingerprint, according to CNET Reviews.

"After this talk, politicians will presumably wear gloves when talking in public," Krissler said in a public statement.

Update at 3:36 p.m. PT to clarify a photographer took the photos for Krissler.