11

It should be trivial to get fingerprint patterns for many of the most important people in the world, as they frequently (enough) wave their hand, palms forward, to many HD cameras. Is it possible to gather this information of fingertips to overcome fingerprint security systems?

I understand that fingerprint security systems would always use defense in depth strategies, but if peoples' fingerprints are so easy to obtain (by just analyzing their photographs), why respect them as secure in the first place?

nobody
  • 365
  • 1
  • 7
raindrop
  • 213
  • 2
  • 6
  • Hand-signed documents, water bottles, etc can be potential sources to get the finger print as well if photographs are a security risk. – AKS Nov 25 '14 at 19:03
  • 2
    Slightly on topic, I learned today another pecularity of the US legal system: If you secure your laptop with a password, they cannot legally force you to reveal the password, but if it is protected with a fingerprint sensor they can extract your fingerprint and legally use it to unlock ... (but maybe I should post this on sceptics.SE first) – Hagen von Eitzen Nov 25 '14 at 22:15
  • @HagenvonEitzen - That's correct. Your fingerprint is akin to a key in this instance, and it's something they collect as part of an arrest processing. That's why I require at least a password when it comes to encryption. – Logarr Nov 26 '14 at 07:46
  • I have a relatively cheap DSLR lens (Sigma 150-500mm) which can read a full hand print (palm+fingers) from 20+ metres away. You've just given me a neat idea, now to see if my brother has fingerprint unlock on his iPhone... – Mark K Cowan Nov 26 '14 at 11:49
  • 2
    Although this question was already answered I want to point out that the german hacker-club "Chaos Computer Club" managed to copy the fingerprint of the german politician "Ursula van der Leyen" by a photograph. It's just something I heard today, I can do some research if it still would interest you. – Sirac Dec 29 '14 at 02:58
  • @HagenvonEitzen: Passwords are considered "testimonial" and so protected by the U.S. Fifth Amendment only within the jurisdiction of the Eleventh U.S. Court of Appeals. In the rest of the U.S., one can still be ordered by a court to reveal or use a password, and one can be jailed for refusal to comply. It's too complex to explain fully in a comment, but eventually the U.S. Supreme Court will decide for the entire nation. – Bob Brown Dec 30 '14 at 18:28
  • Please read my answer on how it *is* possible to use photographs to copy fingerprints. – BlueCacti Jan 06 '15 at 10:11

5 Answers5

13

An excellent slideshow on this topic (in my opinion) is the one from Marc Rogers. Basically, he says the following:

  • Most fingerprint systems can be hacked
  • Fingerprint security provides convenient security, not military grade security

I also like the analogy in his explanation: Door locks have been defeated with increasing elaborate picking techniques as long as they have been around.... but we still use them. - Security DOESNT have to be perfect. - It just has to be ENOUGH.

Fingerprint manufacturers are constantly looking for mechanisms which can detect 'liveness'. See for example this research.

In an ideal situation, fingerprints should not be used as the only factor to authenticate someone, but they can be used to provide access in case the system is 'almost' certain it is you that wants to enter (e.g. because it recognizes your clothes, or because your voice sounds familiar). If the system is not certain at all, it must still fallback to a better security measure (such as a complex password).

Michael
  • 5,393
  • 2
  • 32
  • 57
9

No, I don't think photographs or HD camera footage of powerful people waving to cameras is a security flaw for several reasons:

  1. It's not trivial to get fingerprint patterns from HD cameras: it's highly unlikely that you could make a workable print from an HD camera. Even if the person in question held their finger up to the camera in perfect lighting conditions it would still be difficult to achieve
  2. Fingerprint technology is unlikely to be relevant to the most important people in the world: I highly doubt that anyone of that level of importance or power ever needs to open a door for themselves, let alone use a fingerprint reader.
  3. Even if they do use fingerprint readers an attacker is unlikely to be able to access them. If it's important enough to have a fingerprint reader that a world leader uses it's going to be pretty well protected
GdD
  • 17,291
  • 2
  • 41
  • 63
  • 4
    The points 2 and 3 might be relevant to non-political celebrities who [also have data to protect from unauthorized access](https://en.wikipedia.org/wiki/2014_celebrity_photo_leaks). – Philipp Nov 25 '14 at 17:04
  • 1
    If you have a device with a fingerprint reader it is likely that you could lift their print from the device. No need for photography :) – JamesRyan Nov 26 '14 at 12:12
  • 1
    True, or you get a coke can or glass that's been touched. – GdD Nov 26 '14 at 12:21
  • "I highly doubt that anyone of that level of importance or power ever needs to open a door for themselves, let alone use a fingerprint reader." You're probably right about fingerprint readers but even famous people have to go to the bathroom. – David Richerby Nov 26 '14 at 12:39
  • @DavidRicherby or at least getting out of it :) – Samuel Nov 26 '14 at 12:39
  • @DavidRicherby, what bathroom requires fingerprint reader access? Not a reader I'd want to use! – GdD Nov 26 '14 at 12:51
  • @GdD You claim that somebody as important as a world leader would never even have to open a door for themselves. Going to the bathroom shows that this is false. – David Richerby Nov 26 '14 at 18:48
  • @DavidRicherby Kim Jung Un doesn't go to the bathroom. –  Dec 30 '14 at 20:04
2

Yes

Appearantly, it IS possible to duplicate fingerprints from a photograph.
This is done by combining different photographs taken in different angles. The tool to do this, can be found online, so are the photographs (think of photographs taken by the press at a conference).

Whether this is enough to pose a risk, is a different question.
As others mentioned before, only using a fingerprint scanner without any other security check (code, password/-phrase, retina scan, ...) is what creates the actual risk.

A member of Europe's oldest hacker collective, the Chaos Computer Club (CCC), claimed to have cloned a fingerprint of a Germany's federal minister of defense, Ursula von der Leyen, using pictures taken with a "standard photo camera" at a news conference

At the 31st annual Chaos Computer Conference in Hamburg Germany this weekend, biometrics researcher Starbug, whose real name is Jan Krissler, explained that he used a close-up photo of Ms von der Leyen's thumb that was taken with a "standard photo camera" at a presentation in October -- standing nine feet (3 meters) away from the official. He also used several other pictures of her thumb taken at different angles.

Starbug then used a publicly available software program called VeriFinger with photos of the finger taken from different angles to recreate an accurate thumbprint. According to CCC, this software is good enough to fool fingerprint security systems.

Sources:
http://thehackernews.com/2014/12/hacker-clone-fingerprint-scanner.html
http://www.ccc.de/en/updates/2014/ursel

BlueCacti
  • 950
  • 7
  • 10
  • This question answer thread is a perfect example of people who claim to speak with authority about things they know nothing about (until someone comes around and actually offers conclusive proofs). +1 to you. –  Dec 30 '14 at 20:04
  • This answer is accurate that high resolution images will allow for duplication of a fingerprint, but I think it misses the core point of the question. HD cameras (which aren't actually that high quality) aren't going to allow for reproducing a fingerprint remotely, or even with it as the intent. Yes, a high resolution still camera can capture high enough quality images, but without physical proximity, people are not going to post purpose taken high quality images of people's fingers online generally, so there is a lack of suitable public material in most cases. – AJ Henderson Jul 01 '15 at 14:53
  • Finally, if you have physical access, there are far simpler and cheaper ways to access a fingerprint than the mentioned photographic technique, so it isn't really any additional risk. – AJ Henderson Jul 01 '15 at 14:53
1

HD footage is only around 2 megapixels in resolution. It is not anywhere near sufficient to pull a finger print. To pull a finger print, you would need something more in the 20+ megapixel range, focused on just the hand, and still would need the right angle for the fingerprint to be particularly visible, so in answer to your primary question, no, photography isn't a major concern for capturing fingerprints.

That said, it is also not that hard to get someone's fingerprint if you really want to. There isn't anyone following the President around wiping down every surface he touches, so find someplace he'll be in public and give him a campaign poster to sign or something and chances are, you can obtain his fingerprint.

Even with finger prints being obtainable however, it shouldn't be the only factor and it is still an additional barrier. Extra steps mean extra chances to be detected. Extra chances to be detected means higher security. Additionally, systems for detecting if someone is alive and genuine (such as guards or some technical approaches) can attempt to verify that someone actually is using THEIR fingerprint and not a fake.

Fingerprints should not be relied on as a sole measure of security and have never been considered a viable replacement for more secure factors. They are just an additional factor which is convenient and doesn't harm the security of a system when it is added as an additional step.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • While this is true, by combining the single frames of a video one can get better resolution. This is a topic of ongoing research! The term used most of the time is "Super Resolution" A good paper to start reading with a lot of images is http://people.csail.mit.edu/celiu/pdfs/VideoSR.pdf So a HD Video could be enough to get fingerprints, depending on what is filmed and how long. – Josef Nov 26 '14 at 13:42
  • @Josef - that's an interesting area of research, but it is still making some approximation guesses which could potentially throw off getting an accurate finger print reading. It would also have perspective issues to correct for and shaping issues in order to get a consistent finger print out of the video. It might be possible at some point in the future, but I'm still not particularly convinced that the state of the art could extract a usable print, at least for finger print systems with a low false positive rate. Other methods are certainly far easier to obtain prints. – AJ Henderson Nov 26 '14 at 14:48
  • Interesting article: http://thehackernews.com/2014/12/hacker-clone-fingerprint-scanner.html Combining different photographs taken in different angles, allows you to create a high quality copy of a fingerprint – BlueCacti Dec 30 '14 at 18:22
  • @GroundZero - yes, however if you look at the photos they are using, they are close up photos. Certainly photos are more likely to allow for this than video, but the original though of video isn't viable, and it would take some amount of equipment and effort to capture the photographs of a subject's fingers. It would be far easier and cheaper to simply dust something they touched. – AJ Henderson Jul 01 '15 at 14:41
  • @AJHenderson `biometrics researcher Starbug, whose real name is Jan Krissler, explained that he used a close-up photo of Ms von der Leyen's thumb that was taken with a "standard photo camera" at a presentation in October -- standing nine feet (3 meters) away from the official. He also used several other pictures of her thumb taken at different angles.` So it's possible from 3m with a standard photo camera. Getting a picture at 3m distance from your target isn't always that difficult (imagine press event). With more professional material, you could take pictures from a much greater distance. – BlueCacti Jul 01 '15 at 14:47
  • @AJHenderson Also note that OP asks whether it poses a risk, not whether this is the most practical method for someone to bypass your bio-metrics security system – BlueCacti Jul 01 '15 at 14:48
  • @GroundZero HD cameras don't pose a risk, high quality photos at close range do. There is a major difference between the two. I simply pointed out that other approaches are more practical as a highlight of the fact that pointing out high resolution photos as an alternative to HD video doesn't really matter as other options are cheaper and easier if you have proximity. My read of the original question was more that it dealt with publicly available imagery, which is not going to be a specifically high res image of a finger. – AJ Henderson Jul 01 '15 at 14:50
1

You've just discovered why biometrics is not viable as access keys. The question of how you can get US President's fingerprints is irrelevant, because you can always get them this way or another (eg. dust for prints some place he visited). The answer is: getting them is useless, because his fingerprint (alone) doesn't open anything.

Photographs of fingerprints are not a security flaw. Using fingerprints as sole method of access is a security flaw.

Agent_L
  • 1,921
  • 14
  • 13