Thumb vulnerability: I’ll hack your finger from a photograph

Biometry is gaining momentum

In Russia, they are discussing the creation of a National Biometric Center with a database size of 100-150 million records. A draft law on mandatory biometric registration has already been submitted to the State Duma . On Habré they write about the results of testing the algorithms of biometric companies and try to find out who is cooler: a password or biometrics . Even Mastercard issues a payment card with a fingerprint scanner and VISA, too .

Hackers maliciously rub their handles

And are stocked with high-resolution cameras and liquid silicone. Fingers are now optionally cut off , you can make them yourself.

About how the first woman “hacked from a photograph” as the Minister of Defense of Germany, read under the cut.


Even children can circumvent biometrics (I hope that the man is alive and just sleeping)

A year ago, German hackers showed how to hack smartphones with biometrics

Video about hacking the smartphone biometrics system:



But here's how to scan greasy marks from a smartphone and make a “finger”. Visual aid for those who want to repeat the experiment:



In the comments they wrote (@maeris):

In case someone didn’t quite understand from the German video what happens:

1. scan or photograph the print;
2. translate in monochrome: ledges white, fossa black;
3. print on a laser printer on photo paper (experts already sensed LUT, yes);
4. ironing a print on the PCB so that the toner passes;
5. wash the paper with water;
6. poison with iron chloride;
7. lubricate with a thin layer of some fat so that the rubber moves off easily;
8. apply liquid rubber (silicone putty for crevices, whatever);
9. after hardening we get our finger.

The protrusions in the picture should be white, because on the textolite they mark the areas that need to be etched, i.e. will be pits, and after applying the rubber will become back ledges.

Artificial finger authentication demonstration on 31c3 :





Fingerprints are everywhere, but by and large they are not needed, you can just take a picture or google, as the Germans clearly showed this year

And this year

A hacker in a daring sweatshirt (they even wrote about him in the newspaper), Jan Krissler, used available programs and a couple of shots of the Minister of Defense’s hand. He himself made the bulk of them an ordinary camera from a distance of about three meters during one of the press conferences. He received additional pictures from high-resolution videos in which Ursula’s hand was shown close-up from different angles.

Using the VeriFinger program , the hacker performed filtering and automatic matching of image reference nodes. This is how a digital copy of the finger turned out.

Ursula Gertrude von der Layen(born October 8, 1958) - German politician, Minister for Family Affairs (2005-2009), Minister of Labor and Social Affairs (2009—2013), Minister of Defense (since 2013). The first woman as Minister of Defense of Germany.




Ursula von der Leyen

Precautionary measures

“I trust my password much more than scanning a fingerprint or retina,” says Starbug.
“Probably, in the future, politicians will only be shown in public with gloves on,” Starbug joked at the end of his speech.

Continued I will crack

P.S.
Starbug performance with English translation: