Biometric Security Measures can be Hacked Easily, Here’s Why

May 25, 2016 by Seth Schaffer

Biometric databases and photographs allow a hacker to fool a fingerprint scanner without access to your hand or even a print left on an object. Other biometric security measures don't hold up either.

Biometric databases and photographs allow a hacker to fool a fingerprint scanner without access to your hand or even a print left on an object. Other biometric security measures don't hold up either.

I've long had a healthy dose of paranoia about online security, and with constant reports of hacks on sites and passwords stolen it's beginning to seem like using biometric security measures would be a great idea. Apple has included TouchID in every iPhone from the 5S onwards, a fingerprint scanner which I know many of my friends and colleagues utilize. Microsoft has included a face scanning unlock feature with Windows 10. Many banks and Government departments use face-scanning or retina scans to secure their data or even physical door locks. However, recent research has shown that biometric security measures might all be a huge liability. 


Fingerprint security on laptops used to be the toast of the town, now they're a liability


Gefahren von Kameras is a German biometrics researcher who has shown almost every biometric device we think to be secure is actually trivial to break into. I specifically brought attention to fingerprints as he shows several ways to fool fingerprint scanners, and because many people use the iPhone TouchID scanner to secure their smartphones. If you want any real security, however, stick to a password. In this video, Gefahren von Kameras discusses how easy it can be to obtain a fingerprint from a photograph. 

Here, he shows his process. And here an iPhone TouchID sensor is fooled with a dummy print using equipment that most electrical engineers could easily access. This is accomplished as shown with a scanner and actual physical print, but it's easy to see the same process could be performed using a photograph of a fingerprint as well.

Perhaps the most frightening thing to realize is that security measures which cost thousands of dollars and are used to secure banks and Government agencies can be fooled with a simple photograph, in many cases even just from a smartphone. The fact of the matter is, if you want to access a colleague's PC, it might be possible with just their profile picture and a color printer. In under a day you can make a dummy print to access their phone by using the process demonstrated in the above video, or even by creating a 3D model using a fingerprint from a photo or collection of photos layered together using 3D printing technology. While it may have been obvious to those who considered that grabbing a glass used by somebody would allow you to copy their prints, it's rather unsettling that a simple, properly lit photograph is all that's needed.


A rubber fingerprint can be used to fool fingerprint scanners. Courtesy of The Verge


It would be one thing if a DSLR was needed, but my own smartphone has a 13MP Camera, which Gefahren von Kameras specifically mentioned as being more than enough to cheat face and retina scanners. 

The real question now is, how can you stay secure anymore? The answer is simple: passwords. Especially after the 2014 court case where it was ruled that fingerprints aren't protected by the fifth amendment, but passwords still are. Your best bet is still using safe services which encrypt your data and strong passwords. I'm also a big fan personally of Google and Microsoft both using two-step verification. (Those links will help you activate it.) While it won't protect your smartphone (especially if it's an iPhone), it'll keep a whole lot of your personal data safe by requiring that someone has physical access to your smartphone, and the ability to unlock that phone, to access either account. This is a major step towards better security in my opinion, as it is a way to theoretically ensure that the person entering your password is actually you. I strongly recommend it for anybody like me who allows Chrome to remember passwords and other personal info. If you're truly paranoid, using a VPN to secure web traffic is never a bad option, and most university campuses already do just that. Other than that, you mostly just have to trust in the security of any service that you give a password to. 

If you are like most people and cannot remember limitless passwords, only make up totally new ones for services that seem especially sketchy. That way you won't have to worry if that password is stolen as the person with it can't get into anything else of yours. As long as you stay away from using biometric security measures and are smart about making and using passwords, you should be just fine.

Just remember, always keep those passwords to yourself. It's impossible to control what happens to a photograph of your face or hands once it's posted online, but anything that only you know can't be used against you. You can watch Gefahren von Kameras' explain how to break into an iPhone below.

  • liverdonor June 10, 2016

    Funny, his nickname means “the dangers of cameras.” What a great handle.

    Like. Reply
  • R
    rxyzm June 11, 2016

    Many a movies show the simplest way of picking a fingerprint, using scotch tape. If you put your finger on the sticky side of scotch tape and then take your finger away, you yourself will see the residue of your fingerprint on that tape.

    And, this is 80s technology.

    Fingerprint sensor in the current form is not much usable, unless, some way gets built in to it to differentiate between skin tissue and non-skin tissue. Then we can get somewhere with this technology.

    Like. Reply
    • S
      Seth Schaffer June 11, 2016
      Hello there! As far as detective work is concerned, scotch tape and basically any dust that will stick to fingerprint oils is fine. However, that won't work for fooling a scanner. You do actually need to try and replicate the capacitance of skin. It turns out, however, that too is rather easy to do. In some cases, if the scanner is bad enough, play-dough will suffice.
      Like. Reply