VANCOUVER — Most biometric forms of authentication, including fingerprints, facial recognition and iris scans, can be defeated using high-resolution photographs, a German researcher demonstrated yesterday (March 19) here at the CanSecWest security conference.
Jan "Starbug" Krissler, who was the first hacker to fool Apple's Touch ID fingerprint-recognition system in September 2013, showed how a life-sized photograph of his own eyes fooled an commercially produced iris scanner, and how a mold made from a high-resolution image of his own index finger fooled a laptop's fingerprint reader.
This past December, Krissler showed how a high-resolution photograph of German Defense Minister Ursula von der Leyen's thumb might be used to create a fingerprint mold to unlock an iPhone. Yesterday, he said press photos of German Chancellor Angela Merkel's face might be sufficiently high-resolution to fool iris-recognition systems -- and so might images from pornographic movies.
MORE: My Thumb Is My Passport: Using Biometrics
Perhaps easiest to fool, Krissler showed, is two-dimensional facial-recognition software. Modern systems wait for a face to blink or move before unlocking. But Krissler showed that waving a pencil in front of a high-resolution photograph convinced a Mac that it was looking at a live face.
Three-dimensional facial-recognition systems would be more difficult to fool, he conceded, but he theorized that they could be defeated by lifelike masks, such as those used in old episodes of the TV show "Mission Impossible."
The eyes have it
Iris-recognition software should, in theory, be a little more difficult to defeat. It generally uses infrared rather than visible light to scan eyes, Krissler said, and hence color photographs often can't fool a reader.
But a high-resolution image of Krissler's own eyes taken in infrared, then printed in black and white, quickly fooled a commercial Panasonic iris reader, he showed. And if the subject has light-colored blue or gray eyes, as does Chancellor Merkel, color photographs might work anyway.
Krissler then showed a still from a pornographic movie shot in 4K video, which has four times the resolution of 1080p television. (He explained that only porn is regularly shot in 4K.) A woman performing a sex act was looking right into the camera; her eyes were green, but eyes of a lighter shade might fool an iris reader, Krissler said.
Iris readers will also read contact lenses with printed irises as genuine, Krissler said. That itself isn't a weakness, but he said one could create contacts that matched a known person's irises, or enroll one set of contacts as an authorized user and then distribute identical sets to multiple persons.
Digital identification of digits
Of course, the most common form of biometric authentication is fingerprint readers, which have been on laptops for more than a decade, and are now on Apple and Samsung smartphones. The largest threat to fingerprint authentication may be the high-resolution camera with a zoom lens, of the sort used by professional photographers and passionate consumers.
Krissler showed a photograph of himself holding up an open hand, taken in bright daylight from about 10 feet away by a prosumer digital camera with a 200mm zoom lens. He zoomed in on the image until the tip of his index finger filled the screen, his fingerprint clearly visible. Using a soft-plastic mold made from that image, Krissler unlocked his own laptop on stage.
But it's not ordinary people who are at high risk of having their fingerprints spoofed. Instead, it's famous people of whom high-resolution images are plentiful and publicly available -- politicians, celebrities, sports stars, business leaders.
To demonstrate, Krissler showed his famous photograph of von der Leyen, taken at a press conference in October 2014. The image showed von der Leyen's thumb, and Krissler zoomed in so that the ridges, whorls and loops were clearly visible. Using image-mapping software, Krissler got a nearly complete print of von der Leyen's thumb, with some blank areas where the image had been too reflective.
But the blank areas could easily be filled in using a few more high-resolution images of von der Leyen's hand, Krissler said. From there, a working mold could be made of her thumbprint, which could then unlock any late-model iPhone or Samsung phone the German defense minister might have.
"Once done, it would work," Krissler said.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.