Hacker News Re-Imagined

Fingerprints can be hacked

  • 774 points
  • 2 days ago

  • @SerCe
  • Created a post
  • • 308 comments

Fingerprints can be hacked


@m00dy 2 days

Replying to @SerCe 🎙

Do you think that a 3d printer can replace the whole process ?

Reply


@fukpaywalls2 2 days

Replying to @SerCe 🎙

Well, they definitely can be hacked off

Reply


@paulpauper 2 days

Replying to @SerCe 🎙

The big problem with fingerprint is you may void your 5th amendment right

Reply


@cblconfederate 2 days

Replying to @SerCe 🎙

i guess faceid should be even easier since u can recreate a face from a few public photos.

Plus the good thing about fingerprints is that most people have learned from movies+tv that fingerprints are not secret and can be faked

Reply


@gumby 2 days

Replying to @SerCe 🎙

> while your fingerprint is unique to you,

Has this been proven to some degree or is it merely a conjecture.

I suppose by now, governments have collected enough fingerprints to pretty much confirm this, but I haven’t seen any studies.

Reply


@100c1p43r 2 days

Replying to @SerCe 🎙

Well, you just leave your "password" on the device ;)

Reply


@101_101 2 days

Replying to @SerCe 🎙

humm cheaper than a rubber hose, but too slow.

Reply


@evancoop 2 days

Replying to @SerCe 🎙

The broader argument here is less about fingerprints, and more about using anything immutable as authentication. You cannot change your fingerprints. You cannot change your social security number (at least not easily). These should therefore, NEVER be a primary method to authorize access to anything. Once stolen, the proverbial horse is out of the barn.

Reply


@thomascgalvin 2 days

Replying to @SerCe 🎙

Biometrics have both a high False Acceptance Rate - they will accept invalid input - and a high False Rejection Rate - they will deny valid input. Scanners can be tuned one way or the other, preferring FAR or FRR, but either way, they are kind of unreliable.

This is why multi-factor authentication is a thing. Generally, pick two: something you have, something you know, or something you are.

If the scanner doesn't like your fingerprint this morning, just use your proximity badge instead, and if someone takes a photo of your fingerprint, it's still useless unless they also know your PIN.

The issue is that a lot of our hardware, particularly phones and laptops, is single-factor authentication. And on top of that, this hardware knows the login to a bunch of other very sensitive material, like your bank accounts.

Reply


@AtNightWeCode 2 days

Replying to @SerCe 🎙

As an IT professional you should know to never use fingerprints or facial recognition for logins.

Reply


@kingcharles 2 days

Replying to @SerCe 🎙

Also remember, in the USA, the police can legally force your finger onto a reader to defeat the lock, without violating your 5th Amendment right against self-incrimination.

Reply


@GuB-42 2 days

Replying to @SerCe 🎙

No, the fingerprints are not hacked. The MacBook Pro scanner is.

Fingerprints and biometrics in general are not a secret. Consider your fingerprint like your face. Anyone can reproduce your face, there are cameras everywhere, and it is probably already easy to find on the internet. "Hacking" your face by taking a picture is the most boring "hack" ever.

Now, if I print your face on a piece of paper, wear it as a mask and try to say to a security guard that I am you, normally, he won't let me in. If he does, the problem is not that I managed to make a paper mask with a picture of you, this will always be possible, the problem is that your guard is stupid and you need a better one.

And if your fingerprint scanner can be fooled by a dab of glue and a laser printer, you probably need a better scanner, something that Apple should be able to do. Smartphone manufacturers like Apple are usually good at bringing fancy tech to the masses, and they could work on defeating these old attacks.

Reply


@p2p_astroturf 2 days

Replying to @SerCe 🎙

damn i need more sockpuppet accounts so i can list all my snarky comments:

- no shit, use public keys

- your 2FA can also be hacked

- your company forcing 2FA is insufferable like all modern web

- your KYC is literally pointless since i already gave those same ID photos to 100 different companies, few to none of which are competent enough to keep them secret

EDIT: huh, this is actually a good article. but it's still ironic since it's coming from a company that follows all the standard snake oil

Reply


@daneel_w 2 days

Replying to @SerCe 🎙

People commonly mistake biometrics for authentication; they are only shallow identification.

Reply


@no_time 2 days

Replying to @SerCe 🎙

By "laser printer" do they mean regular office printer or laser engraver? It's a bit hard to believe that the super thin layer of black paint produces an imprint thats significant enough for this to work.

Reply


@krzyk 2 days

Replying to @SerCe 🎙

OK, so here goes fingerprint scanner on phones that some thought is more secure than Face Unlock and similar.

Reply


@neycoda 2 days

Replying to @SerCe 🎙

So it's not easy.

Reply


@rogelin 2 days

Replying to @SerCe 🎙

Firgerprints are usernames, not passwords.

Reply


@trulyme 2 days

Replying to @SerCe 🎙

The biggest problem imho is that we only have two states on our phones - locked and unlocked.

Ideally, I should be able to unlock the phone and take photos using just my fingerprint. In my case I would also like to be able to call, message, play games and similar. But to access the 2fa app, cryptoasset app or similar, I must further authenticate in a way that I only reveal parts of my secret ("Enter 3rd, 8th and 11th character of your password:"). The assumption here is that I will mostly authenticate in a private setting, but sometimes I might not have that luxury.

Reply


@scottLobster 2 days

Replying to @SerCe 🎙

Think this is still overestimating the threat. It's kinda like saying you can hack someone's password by watching video of them typing. True, but also non-trivial.

If you're already being personally targeted by an organization professional enough to follow you around, take a photo of your fingerprint on something you touched, then painstakingly reproduce said fingerprint through highly technical means and then gain physical access to your personal device that uses a fingerprint reader to use said fingerprint, you should be aware of your position and have multi-factor authentication set up for everything anyway.

For your average everyday person fingerprint security is fine. The thief who snatches your phone when you step away from your table in the mall food court isn't going to be able to crack it via this method.

Reply


@grifball 2 days

Replying to @SerCe 🎙

Myth busters did this:

https://m.youtube.com/watch?v=MAfAVGES-Yc

?13? Years ago?

Reply


@kartoshechka 2 days

Replying to @SerCe 🎙

2FA can be bamboozled too, given that SMS is kinda a security joke

Reply


@ineedasername 2 days

Replying to @SerCe 🎙

The problem with any lock is that, fundamentally, it is made to be opened when certain conditions are met. And that's putting aside any sort of brute force approach.

Good security design is as much about asking, from first principles, "what conditions need to be met to open this?" as about considering how it might be attacked.

For example, the condition to be met for a pad lock to open is not "when the proper key is inserted" or "the key pins are raised to the appropriate level". It's something more basic-- like "when the locking bar no longer blocks the shackle from rising."

From that perspective, attacking the key hole and pins is only one of multiple vectors.

Reply


@1cvmask 2 days

Replying to @SerCe 🎙

My favorite photograph of a fingerprint is when the Chaos Computer Club reproduced the German Foreign ministers fingerprint from a photo. So much for military grade security.

https://www.dw.com/en/german-defense-minister-von-der-leyens...

-

The core problems with biometrics are that:

1) Not revokable (unlike compromised credentials)

2) Not a secret

3) Usually trivial to reproduce and spoof (even "liveliness" tests)

Reply


@makecheck 1 day

Replying to @SerCe 🎙

A fingerprint is a user ID that is usually treated like a password, which is the main problem here.

They should add at least a 2nd layer (that doesn’t reduce the convenience too much).

For example, people could probably remember a simple Morse-code-like sequence of finger presses, e.g. your extra token is that you set it up to use “tap, tap, longpress, longpress, tap”.

Reply


@trident5000 2 days

Replying to @SerCe 🎙

24 hour fitness wanted my fingerprints to check into their gym. I had to explain to multiple employees why that was never going to happen.

Reply


@afrcnc 2 days

Replying to @SerCe 🎙



@Sohcahtoa82 2 days

Replying to @SerCe 🎙

Is anyone surprised by this?

I've been telling my friends for a couple years now that unlocking via fingerprint is a convenience feature, not a security feature.

Reply


@a-dub 2 days

Replying to @SerCe 🎙

i find this whole in-screen fingerprint reader trend to be pretty funny. isn't glass excellent for capturing fingerprints?

i suspect biometrics like fingerprints may play a role in the future, but the role they would play is more convenience in cases where the device knows its in a trusted environment. (that is, there will be more attention on devices tracking whether they've been separated from their owner, or if their owner is not behaving like their owner, and if so, requiring additional challenge)

either that or we'll all be carrying keys. there are some cool wearables i've seen out there that i think talk nfc.

Reply


@legrande 2 days

Replying to @SerCe 🎙

Anyone else see this technique a few times in heist movies? I always knew it could be done, but having a blogpost detailing how to do this is is pretty cool.

Reply


@elias94 2 days

Replying to @SerCe 🎙

Have you ever seen the Charlie's Angels movies? They where taking the fingerprints using a beer bottle.

Same method but 21 years ago.

Reply


@voidmain 2 days

Replying to @SerCe 🎙

Biometrics are not secrets (it must be assumed that attackers always possess all biometric data), but they can nevertheless be a good form of authentication when combined with situational awareness. If you try to use one of these hot glued fingerprints in front of a security guard, it isn't going to go well for you.

At the moment, humans are still necessary for situational awareness, but probably machines can get there pretty soon. A phone, for example, that monitors its surroundings continuously and has enough intelligence to reliably distinguish normal access by its owner from duress or the presentation of fake biometrics seems like it's within reach of current technology (though it doesn't actually exist).

Reply


@theandrewbailey 2 days

Replying to @SerCe 🎙

Don't forget to change your fingerprints, face, and mother's maiden name regularly.

Reply


@rStar 2 days

Replying to @SerCe 🎙

apple: use your fingerprint … gov: fingerprints are fungible … apple: use your eyeball then!

Reply


@sparkling 2 days

Replying to @SerCe 🎙

This should not be news to anyone. Chaos Computer Club demonstrated almost the same technique in this 2006 video https://www.youtube.com/watch?v=OPtzRQNHzl0

Reply


@zeven7 2 days

Replying to @SerCe 🎙

Is modern facial recognition any better or is it also considered bad to use for anything sensitive?

Reply


@m3kw9 2 days

Replying to @SerCe 🎙

Biometrics is almost like security thru obscurity.

Reply


@aaronleather 1 day

Replying to @SerCe 🎙

these type of things always will be happen till the all gov. will not come together at one platform with strict Punishment like Death penalties for these type of crime (Fingerprints stolen, Rape, Murder...etc)

Reply


@dxf 2 days

Replying to @SerCe 🎙

The huge advantage of biometrics (fingerprints, FaceID, etc.) is the ease with which a user can unlock their phone. A passcode may be better than a fingerprint, but a fingerprint+longer passcode is better than a shorter passcode (or no passcode at all).

Having a 12 character alphanumeric passphrase you enter each time you want to unlock is not something most users want to do.

See e.g.: https://www.businesstoday.in/technology/news/story/what-kick...

Only about 49 per cent of the users were setting a passcode, which meant that the remaining 51 per cent were not benefiting from the data protection mechanism. When Apple dug in to understand the reason, the findings revealed that users unlock their devices a lot - on an average about 80 times a day. And about half of its users simply didn't want the inconvenience of having to enter their passcode into their device, at times. At that time, in 2012-2013, the default passcode length for iPhone was four digits, which happens to be six today.

Apple realised that it needed to come up with a mechanism that's fast and secure, and doesn't involve typing in the passcode. That's when Apple introduced Touch ID, which was easy, fast and secure. The way that biometric authentication worked on Apple platforms was that the user must set a passcode to be able to use the biometrics. And just as Apple thought, there was a much higher adoption of biometric-based TouchID. Apple says over 92 per cent chose to use Touch ID and had therefore set the passcode, which in turn meant users were able to use Apple's data protection encryption system.

Reply


@jeroenhd 2 days

Replying to @SerCe 🎙

Biometrics are great for authentication but terrible for authorization. Anything sensitive should require both. There's nothing wrong with a fingerprint and a password or a fingerprint and an RFID card as an authorization/authentication pair; you just have to keep these things in mind.

I've fallen to the laziness of using fingerprints on my devices as well, but they still require a password to decrypt the contents of the storage device on boot. For many, if not most, threat models, this is perfectly fine.

I lock my phone to prevent people with messing with my contacts and scrolling through my messages. It's an inconvenience to bypass that requires preparation. A motivated attacker would just as easily spy over my shoulder if I were to use a password, either on my phone or on my laptop.

I look at these mechanisms like the lock on a teenager's bedroom door. Those things aren't impenetrable and anyone with just a little lockpicking experience or access to some automated tools can open them in a minute. Unlike the locks on our front doors, built to keep intruders that don't want to risk physical damage to our windows out, they're a message: please don't violate my privacy. Violating that privacy is made moderately difficult by the mechanism itself, but it's hardly impossible.

Unless you carry a password-protected authentication and key management token with you at all times, you're at risk of having your system broken into. Most of us don't need to worry about those kinds of things.

Reply


@1vuio0pswjnm7 2 days

Replying to @SerCe 🎙

If we had asked people thirty years ago whether a single company, not a police department or other government agency, could, with consent, collect the most human fingerprints in history, would people have been likely to point out various obstacles and/or doubt it was even possible. Further, would they ever agree that these prints could be collected not for employee access to company resources but for access to people's own personal effects! (Company retains remote access to devices storing personal effects.)

Reply


@webel0 2 days

Replying to @SerCe 🎙

[edit for clarity]

As someone who doesn’t specialize in security, one claim that has stood out to me for not using fingerprints is that you can't run bcrypt (or some other salting algorithm) on fingerprints [1].

I don’t see any discussion of that here thus far. Is that still the case? I feel like I would have heard about developments in this area if something had changed. But perhaps I've always misunderstood the criticism?

[1] https://www.rsaweb.co.za/fingerprint-security-fingerprints-a...

Reply


@louissan 2 days

Replying to @SerCe 🎙



@emodendroket 2 days

Replying to @SerCe 🎙

Yes. But at a certain point one has to consider how much security is "enough." Someone could break into my house, even when locked, by kicking in the door or breaking a window, but I don't necessarily need to turn it into Fort Knox in response. If you are a high-value target, it is worth thinking about this, but for the average person, I think it might be a reasonable trade-off.

Reply


@gannon- 2 days

Replying to @SerCe 🎙

Could a similar concept apply to face-id passwords? What's stopping face-ID spoofing?

Reply


@danielyaa5 1 day

Replying to @SerCe 🎙

Isn’t this the point of requiring the password on startup. Seems like enough of a caveat for everyday users

Reply


@immmmmm 2 days

Replying to @SerCe 🎙

in biometrics this is called a Presentation Attack (PA), here the fake fingerprint is the analog of presenting a photograph, video or 3dp mask to a face recognition system. this is usually mitigated by the use of Presentation Attack Detection (PAD) systems, either hardware, software or hybrid. in this particular case it can easily be mitigated by some hardware that measures the amount of water in the biometric sample, for instance capacitive sensor, transparent conductive electrodes or maybe even better some optical sensor that is sensitive to SWIR wavelengths reflectivity differences (1000 and 1200 nm would be great here). a short scholar search will indeed reveal that this is a very active area of research, and probably will reveal tens of papers from our group which is a leader in this.

Reply


@the_arun 2 days

Replying to @SerCe 🎙

Using same idea, could’t AI generate FaceId from videos?

Reply


@SEJeff 2 days

Replying to @SerCe 🎙

Fingerprints are usernames, not passwords. Here is an excellent (and timeless) post on this fact:

https://blog.dustinkirkland.com/2013/10/fingerprints-are-use...

Reply


@scott00 2 days

Replying to @SerCe 🎙

The method in the article required an hour of photoshop work. Anybody know how much expertise is required for that step?

Reply


@delineator 2 days

Replying to @SerCe 🎙

> you leave your fingerprint on taxi doors, iPhone screens, and glasses of wine at your local restaurant.

DNA is similar - you leave hairs in taxis, public toilets, etc.

Reply


@ruph123 2 days

Replying to @SerCe 🎙

The uniqueness of fingerprints is also questionable.

e.g.: https://mathblog.com/are-fingerprints-unique/

Reply


@albert_e 2 days

Replying to @SerCe 🎙

How about .... Fingerprint sensors + inbuilt IR sensors that verify that there is a "live" finger with blood and pulse behind that print.

Would that help make FP authentication more robust?

Reply


@cmaggiulli 2 days

Replying to @SerCe 🎙

Fingerprints are usernames, not passwords

Reply


@whirlwin 2 days

Replying to @SerCe 🎙

So there is a difference here. On local hardware this is not that crucial. But on (portable) software relying on the fingerprint is more severe.

Reply


About Us

site design / logo © 2021 Box Piper