Full Report
Fingerprint biometrics are entering the mainstream as a security measure, with both Apple and Samsung relying on readers to secure their flagship phones - but biometrics may not be as secure as many believe.
Analysis Summary
This is a summary of the information regarding the technique demonstrated by Jan Krissler (Starbug) of the Chaos Computer Club (CCC) concerning fingerprint spoofing from photographs.
# Vulnerability: Fingerprint Spoofing from Public Photographs
## CVE Details
- **CVE ID:** No specific CVE ID is assigned as this describes a general research finding/technique demonstration rather than a specific software flaw tracked by a CVE.
- **CVSS Score:** N/A
- **CWE:** Not specified (Relates broadly to flaws in Biometric Authentication Mechanism Trust/Weakness in Sensor Data Capture)
## Affected Systems
- **Products:** General fingerprint biometric authentication systems (Examples mentioned include systems in Apple and Samsung flagship phones, specifically referencing Samsung Galaxy S5, Note 4, and iPhone 6).
- **Versions:** Any system relying on fingerprint authentication where the input image quality is sufficient for reconstruction.
- **Configurations:** Systems that do not employ liveness detection or advanced anti-spoofing measures.
## Vulnerability Description
A researcher from the Chaos Computer Club (CCC) demonstrated the ability to reconstruct a usable, machine-readable fingerprint template from standard, publicly available photographs of a person's thumbprint (in this case, Germany’s Defense Minister). The technique involves using high-resolution images, combining data from multiple photos, and processing them using specific biometrics software (Verifinger) to create a viable spoofing template.
## Exploitation
- **Status:** Demonstration/Proof of Concept (PoC) available (demonstrated at CCC). Not reported as widespread exploitation in the wild against commercial devices at the time of the report, but the *method* is public.
- **Complexity:** Unknown/Medium (Requires specialized software and an image of high enough quality, plus the ability to fabricate a physical latex fingerprint mold).
- **Attack Vector:** Adjacent (Requires access to the fabricated fingerprint mold and physical proximity to the authentication device).
## Impact
- **Confidentiality:** High (If a system is secured only by the fingerprint, access grants full unauthorized access).
- **Integrity:** High (Allows unauthorized modification or authorization of actions).
- **Availability:** Low (The attack aims for access, not denial of service).
## Remediation
### Patches
- This is a fundamental security limitation of relying solely on sensor data that can be captured non-intrusively. Vendor patches would require updating the underlying biometric algorithms, likely involving enhanced liveness detection or multi-factor verification. No specific patches for this technique are listed in the context.
### Workarounds
1. **Employ Multi-Factor Authentication (MFA):** Do not rely solely on fingerprint authentication. Combine it with a PIN, password, or pattern.
2. **Protect High-Value Targets:** Limit the use of easily captured biometrics for accessing highly sensitive systems.
3. **Restrict Image Acquisition:** Minimize the availability of high-resolution, close-up photos of individuals touching surfaces.
## Detection
- **Indicators of Compromise:** The success of this attack is typically only noticed upon unauthorized access.
- **Detection Methods and Tools:** Detection focuses on implementing security measures *before* the attack, such as Liveness Detection mechanisms within the biometric scanner hardware/software stack, which inspect texture, pulse, or electrical properties to confirm the print belongs to a living person.
## References
- Chaos Computer Club 31st annual conference update: defanged://www.ccc.de/en/updates/2014/ursel
- Ubergizmo report: defanged://www.ubergizmo.com/2014/12/hackers-claims-they-can-reproduce-fingerprints-based-on-public-photos/
- VentureBeat commentary: defanged://venturebeat.com/2014/12/28/chaos-computer-club-claims-it-can-reproduce-fingerprints-from-peoples-public-photos/