Threat Management, Vulnerability Management

Starbug’s in your eyes: German hacker spoofs iris recognition

A German hacker who rose to fame after hacking Apple's TouchID and recreating the German defense minister's thumbprint from a high-res image, has revealed a method where iris images taken from a distance with a high-resolution camera can be recreated with a laser printer.

In a presentation at the annual Chaos Computer Club conference in Hamburg, Germany, biometrics specialist Jan Krisller – known in the community as "Starbug" – extracted the iris data of German chancellor Angela Merkel, using a photo taken at a press conference. He went to explain that this is also possible with high-res billboard and magazine images, all of which can be printed onto a contact lens.

To copy Merkel's iris print, all he had to do was get was a high-resolution image of the Chancellor, easily available from her election campaign materials, and then print it out. Using Photoshop, he improved the contrast of the image and printed the iris using his widely available laser printer, printing at 2000 dpi.

Stating that “everything is spoofable”, much of Starbug's speech was focussed on discussing the vulnerabilities associated with fingerprint and facial-recognition technology, warning that these technologies represent “90 percent of the biometrics market value”.

Discussing how to make a dummy fingerprint to spoof Apple's Touch ID sensor, Starbug said it was possible by simply lifting a fingerprint from a basic print scanner and then making a mould using the Gummibear method to spoof it. According to Starbug, fingerprint sensors featuring liveness detection can't detect this.

The same method is also possible using photographs of fingerprints – the method used to extract German defence minister Dr Von Der Leyen's thumbprint.

On facial recognition, Starbug said a simple photo of the user's face is often more than enough – even for most infra-red devices. Which is why he went to say that "liveness detection is very important". 

He also outlined a method to defeat liveness detection that demands that users blink, and a technique to defeat 3D facial recognition techniques using a papier mâché mask.

Starbug's message was not anti-biometrics, admitting that he uses TouchID more than any other security method.

Andrew Bud, founder and CEO of iProov commented on Starbug's research: “As the image of people's faces are in the public domain and can be found on social media and through Google searches, if a hacker wants to attack, they could do it from across the street by simply taking a photo of you.” 

He added: "Any [biometrics] system that relies on the source resembling a person's face is entirely insecure if it relies on replays and copies of the person face.”

You can view the full talk here (English translation): 

[hm-iframe width="560" height="315" frameborder="0" src="https://www.youtube.com/embed/VVxL9ymiyAU"]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.