Hacker fakes German minister’s fingerprints from HD photos

Security analysts have always believed that fingerprints are a foolproof replacement for passwords and authentication protocols. However, a new development in this matter has literally toppled this theory and altered the game. When fingerprints are used as an authentication protocol, the single biggest concern is what to do if the fingerprint in question gets copied. This is exactly what has been demonstrated by a German hacker at a recent technology convention.


Jan Krissler, a hacker also known as Starbug, recently showcased some rather interesting news at the Chaos Communication Congress (CCC) in Germany. Interestingly, the CCC happens to be Europe’s largest association of hackers so it’s no surprise that this was the location for such a noteworthy revelation. Revealingly, Starbug demonstrated his technique for stealing fingerprints by simply analyzing a few High-Definition pictures of his target, in this case – German Minister of Defence, Ursula von der Leyen.

According to Krissler, faking these fingerprints was far easier than he thought possible. All he needed were a few close-range photos of his target in order to reverse engineer the fingerprints. He gained these photos from several press releases issued by the minister’s office and another that he took himself from a few meters away. With the help of commercially available software called VeriFinger he was then able to replicate the fingerprints of the Defence Minister of Germany, the country with the world’s 4th largest GDP and a leader in several technological and military fields.

After the demonstration, Krissler jokingly added – “After this talk, politicians will probably wear gloves when talking in public.” While that seems like a logical expectation, we doubt that will be the case. But we sincerely hope that politicians heed this warning and demonstration and take care to avert such cases in this modern age of cyberespionage, international cyberwarfare and other technology related crimes.

Krissler aka Starbug, is certainly not new to the hacking of biometric security and authentication techniques. When the Apple iPhone 5S was released in 2013, he successfully spoofed the highly publicized Apple TouchID sensors within 24 hours. He achieved this feat with the help of a finger smudge on the screen, wood glue and sprayable graphene. However, for his latest hack demonstration, it is scary that he does not need physical access to either a device or a finger. Makes you wonder how secure high-level authentication protocols really are.


A notable workaround for this is for users to not think of biometric security as a replacement for passwords or other authentication. While your fingerprints may be unique to you, the fact is they are not a secret. Anyone who is adequately motivated can easily get hands on your fingerprints through several innovative techniques. Instead, biometric security and fingerprint authentication should be used as a supplement for passwords. Starbug also agreed in 2013 by stating – “I consider my password safer than my fingerprint. My password is in my head, and if I’m careful when typing, I remain the only one who knows it.

Interestingly, another novel hack technique was also showcased at the conference and this is known as “Corneal Keylogging”. This trick allows a hacker to gain someone’s passwords by simply gaining control of the camera of his smartphone. With this control, a hacker can simply read what someone is typing on the screen by analyzing HD photographs of the reflection of the screen in the user’s eyes. This technique may sound implausible to some, but the secondary cameras or front-facing cameras of smartphones today are strong enough to make this possible.

So while we all hope for and look towards a safe and secure 2015, advanced hack attacks such as this are constantly being built and showcased in all corners of the globe. It just goes to show that when it comes to security, there is no rest for the wicked.

Rahul Thadani

Rahul Thadani

1 Comment

Your email address will not be published.