The Hacker News — Cyber Security, Hacking, Technology News

Hackers have already bypassed Apple's fingerprint scanner using fake fingerprints, and now they have found a way to reproduce your fingerprints by using just a couple of photos of your fingers.

Special Fingerprint sensors have already been used by Apple and Samsung in their smartphones for authentication purposes and in near future fingerprints sensors are believed to be the part of plenty of other locked devices that can be unlocked using fingerprints, just to add an extra layer of authentication. But, How secure are your fingerprints?

A member of Europe's oldest hacker collective, the Chaos Computer Club (CCC), claimed to have cloned a fingerprint of a Germany's federal minister of defense, Ursula von der Leyen, using pictures taken with a "standard photo camera" at a news conference.

At the 31st annual Chaos Computer Conference in Hamburg Germany this weekend, biometrics researcher Starbug, whose real name is Jan Krissler, explained that he used a close-up photo of Ms von der Leyen's thumb that was taken with a "standard photo camera" at a presentation in October -- standing nine feet (3 meters) away from the official. He also used several other pictures of her thumb taken at different angles.

Starbug then used a publicly available software program called VeriFinger with photos of the finger taken from different angles to recreate an accurate thumbprint. According to CCC, this software is good enough to fool fingerprint security systems.

"After this talk, politicians will presumably wear gloves when talking in public," Starbug told the audience at the Chaos Computer Conference (CCC) conference.

However, this is not the very first time when Chao Computer Club has targeted fingerprints. In past, the group has demonstrated how easily the Apple iPhone 5s can be unlocked using a fake fingerprint obtained from an individual who has touched a shiny surface, such as glass or a smartphone screen.

"This demonstrates—again—that fingerprint biometrics is unsuitable as [an] access control method and should be avoided," the group said at the time.

Moreover, just three days after the launch of the Galaxy S5, hackers successfully managed to hack Galaxy S5 Fingerprint sensor using a similar method that was used to spoof the Touch ID sensor on the iPhone 5S.

But this recent hack did not require any object 'carrying the fingerprints anymore,' which means that any person could potentially steal someone's fingerprint identity from photos posed on Facebook, Twitter or any social networking site.

This new finding by Starbug potentially calls into question the effectiveness of fingerprint scanners as a security measure. Fingerprints have been supported in the past as biometric identifiers, but because it can be easily reproduced, using fingerprints for security purposes raises questions.

The practical danger is low, because even after obtaining your fingerprint, the data thieves would still need to have your devices or otherwise find a way to sign in using your biometric information. But, the concern is more as the method require no technical skill to perform the fingerprint cloning.

After the revelation of former NSA contractor Edward Snowden, we all very well knew the impact of it on the world, but nobody would have estimated that the impact will be so worst.

The revelation, not only defaced NSA, but also its counterpart GCHQ, and various other governments which were serving them in the world's spying scandal. Now, after various allegations on NSA, Chaos Computer Club (CCC), one of the oldest and Europe’s largest association of hackers, along with the International League for Human Rights (ILMR), has filed a criminal complaint with the Federal Prosecutor General's office on Monday.

The Chaos Computer club accuses the German government of capitulating to UK, US and other government intelligence agencies and their communications surveillance whims.

In a press release they said:

“We accuse US, British and German secret agents, their supervisors, the German Minister of the Interior as well as the German Chancellor of illegal and prohibited covert intelligence activities, of aiding and abetting of those activities, of violation of the right to privacy and obstruction of justice in office by bearing and cooperating with the electronic surveillance of German citizens by NSA and GCHQ.”

They claimed that mass surveillance by secret services and offensive attacks on information technology systems, ‘have certainty that German and other countries' secret services’ have violated the German criminal law.

Despite considering the German Government a victim, they accuse them to provide support to intelligence agencies, the NSA and GCHQ.

"Every citizen is affected by the massive surveillance of their private communications. Our laws protect us and threaten those responsible for such surveillance with punishment. Therefore an investigation by the Federal Prosecutor General is necessary and mandatory by law – and a matter of course. It is unfortunate that those responsible and the circumstances of their crimes have not been investigated," says Dr. Julius Mittenzwei, attorney and long time member of the CCC.

The CCC and the ILHR are also demanding the prosecutors to summon Snowden as a witness and provide him safe passage to Germany and to protect him against extradition to the United States.

Apple has marketed TouchID both as a convenience and as a security feature. “Your fingerprint is one of the best passwords in the world,” says an Apple promotional video.

A European hacker group has announced a simple, replicable method for spoofing Apple’s TouchID fingerprint authentication system.

The Apple TouchID it the technology developed by Apple to replace passcode on its mobile and help protect users' devices, it is based on a sensor placed under the home button and it is designed to substitute the four-digit passcode to unlock the handset and authorize iTunes Store purchases.

But is it really so? Hackers members of the Chaos Computer Club claim to have defeated Apple TouchID fingerprint sensor for the iPhone 5S, just after the start of its sale to the public. "Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints," a hacker named Starbug was quoted as saying on the CCC's site.

They have successfully bypassed the biometric security on the Apple's Touch ID fingerprint sensor by using materials that can be found in almost every household, it seems that they made it by photographing an iPhone user's fingerprint from a glass surface and using that captured image to verify the user's login credentials.

It warned users to consider whether they want to use a security system that you cannot change unless you change your hands. "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", post said.

Although CCC did not demonstrate this, several videos have surfaced demonstrated the ease at which the biometric security found on Apple's iPhone 5S can be bypassed.

First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market. 

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," "It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token." added CCC spokesperson Frank Rieger.

The hack is embarrassing, in recent days a series of bugs and security issues were found on the last version of the popular Apple OS, iOS 7, in particular the lockscreen features is affected by serious flaws.

"The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." hacker said.

These are the exact same steps that the CCC published in 2004 on its web site and the same process that can be used, with minor tweaks, to trick the vast majority of fingerprint sensors on the market.

At this point the only question to be clarified is if the hackers will claim to the bounty of more than $16,000 in cash offered to the first person to hack the Apple TouchID fingerprint sensor.

IsTouchIDhackedyet.com is the brainchild of Nick DePetrillo, an independent security researcher whose last major public research was 2010's Carmen San Diego Project, it announced on its Web site that it was waiting for the group to upload video of the hack as proof of the hack.

Rewards include also a patent application from CipherLaw for the hack process, some Scotch, and a book of erotica.

Lesson learned ... nothing is secure!

An eavesdropping tool allegedly used by the German government to intercept Skype calls is full of security problems and may violate a ruling by the country's constitutional court, according to a European hacker club. The information was released as part of a move towards financial transparency. The government released figures of expenses incurred by the Federal Ministry of the Interior following a parliamentary inquiry.

This raises a whole lot of ethical and privacy questions. It has long been rumored that the German government was interested in developing an application to intercept Skype. Three years ago, documents released by WikiLeaks purported to show a proposal by a Bavarian company, DigiTask, offering to develop such a tool.

The Chaos Computer Club obtained several versions of a program that has allegedly been used by German law enforcement in possibly hundreds of investigations to intercept Skype calls, said Frank Rieger, a member of the club. On page 34 and page 37 of the report the cost for decoding software for Google Mail, MSN Hotmail, Yahoo Mail for prevention and investigation was listed.

In 2009, for instance the German police rented hardware and software to monitor Skype for almost A!30,400 (about US$39,300) from the German company DigiTask. DigiTask also provided software to decode Google Mail (as Gmail was formerly called in Germany,) MSN Hotmail and Yahoo Mail, according to the documents. The software was ordered twice for approximately A!12,500.

"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan and upload fake data," according to the Chaos Computer Club's writeup.

The Chaos Computer Club provided samples to F-Secure, which found Quellen-TKU also had keylogging capabilities to intercept data entered into applications such as Firefox, and the instant messaging programs MSN Messenger and ICQ.

Tapping a phone is acceptable in today's democracy because there are procedures in place for that sort of surveillance, But we are sort of sleep walking quietly from one level to the next.

Subscribe to our Daily News-letter via email - Be First to know about Security and Hackers.