 Thanks for the nice introduction as you can see from the title of this presentation today's talk is about biometric and non-biometric ways of identifying people. In particular it's about how cameras are a danger to these processes. This talk is based to a certain extent on a paper that I have done together with Ronny Henge and Tobias Fiebig at T-Labs and T-Labs gave us this nice title slide here which I have seen about two weeks ago while I was getting coffee and I thought this is a very fitting poster and I just I just had to use that here. I don't want to go too much into details here because I'm really trying to make a little nice little arc here but essentially this is about biometrics and keyloggers. I also had to include this picture here What I'm gonna try is we're gonna do taking steps away from the object of our desire from the biometric attributes and let's start with something simple the fingerprint. This picture is pretty funny but it has a serious background. In the United States the Supreme Court decided a couple of months ago that passwords are protected by the Fifth Amendment but fingerprints are not so the police can actually force you to unlock your iPhone using your fingerprint and this is a little bit silly because let's take one step further away. Wolfgang Schölde by sich auf den Sofa zu liegen. We have been focusing on the finger but how often does it happen that you have Wolfgang Schölde on your couch? It's not about the Nazi sex party but the headline underneath that. You see that fingerprint here? I don't know who knows that story. It's been a couple of years by now when there was a huge fuss about the electronic identity card and the electronic passport. Dr. Schölde was visiting or was opening faculty at the University in Berlin and he was holding a speech there and back then he was the Secretary of State and there were all these laws and I was kind of afraid because I thought this man was crazy. The stuff that he was doing was really crazy and obviously he had a glass of water in front of him and he drank from that glass and for some reason we got a hold of that glass and with a very primitive technique something that I will show you in detail later we managed to get one fingerprint and we published that fingerprint in our magazine Datenschleuder and this became pretty big. It was even in the built tabloid and what Dr. Schölde said is I don't really care the hackers. I don't care if hackers have my fingerprint but through the way I learned that he was rather displeased with that even though he officially said that he didn't care. What was even funnier is I was with Constanza a couple of weeks later I was at an event where Mr. Zierke was and we met for coffee and we had a talk. It was a rather unpleasant talk but all that time he really paid attention to his coffee cup and everyone just left their cups wherever they were but he took this cup with him and he never touched the glass that was at his speaker table. About the technique that we have used back then there are a number of possibilities that you can use in order to make a fingerprint visible. The two pictures in the top you probably know that from movies you have some sort of powder and you can apply this powder over the fingerprint and the particles of that powder will stick to the residues, the fat residues that the fingerprint has left on the surface and the problem is if you are not very careful with that little brush that you have you can actually damage that fingerprint so it's not really a good way. The police in the meantime they have moved on to the second method which you can here see under that lid in the lower left picture there's a little bit of super glue basically. One of the components of that glue is something that evaporates at room temperature and it also sticks to the to the residue and you will get a very nice white white imprint and there's a little problem with that method too because if you keep that lid closed for too long the the vapors are not only sticking to the fingerprint but also to the area surrounding it so you have one big white spot and that's why we have a third option. I don't know if it's something that is officially used I rather stumble upon that. This picture was taken in a facility that makes very thin layers of gold and I accidentally put a piece of glass in there that I touched with my finger and I got a very nice picture of my fingerprint so I can only recommend using that method. The problem is that these devices are not really cheap and it's not something that you can have at home in your kitchen so this is something that you can use on an even surface. There are other ways when for example you have a fingerprint on a piece of paper you can either what you can see here on the left this is some sort of acid that you can apply to the paper and it contains an indicator that reacts with stuff in the fingerprint and leaves this nice pink residue and on the right side the picture that we have when you see that little stripe that's it's something that I accidentally left a sheet of paper in the in the oven and my fingerprint was on it and apparently the fat dissolves at a certain temperature and it's a great way to make a fingerprint visible on a piece of paper so if you ever want to write a ransom letter I would recommend wearing a pair of gloves and of course dispose of this pair of gloves properly because your fingerprints will also be all over that pair of gloves. I want to tell a little bit more about the iPhone but I reduced that a little bit so I only have that one slide because the iPhone is pretty much a wonderful example of how to get a nice fingerprint from an even surface. There's this nice glass pane with a black display underneath it and you just have to touch it for briefly and all you have to do is put the phone on a normal scanner upside down and you can just scan the fingerprint in. So when the iPhone was released I thought hey I'm gonna have fun with this for a couple of weeks but turns out it broke after two days and I had broken it after two days because it was so easy to get a fingerprint off the iPhone so if anyone wants to know more about this there's an episode of chaos radio where we discuss this in length all about the iPhone so that was the past and let's move on to the present stuff that we wrote about in our most recent paper. Basically you have to collect an item on which someone had left his fingerprint and now let's we can actually move away from from whatever it is the person touched we can go a foot away or we can go to the other end of the world because basically all we need is a camera of a mobile phone and have you ever noticed that whenever you install an app on your phone that every other app is asking for permissions to use your cameras you have a simple app such as a flashlight and the flashlight app will ask for permissions to use your camera so it's something that most apps can do and most phone cameras are have a good enough quality to get really good pictures of a fingerprint. It's a little staged these pictures here you kind of have to have your finger right above the camera and you have to have good lighting conditions and all that but basically what I'm saying is that with your regular 13 megapixel camera that you have in a mobile phone it's sufficient to get a good image of a fingerprint if lighting is okay I use the desk lamp here you can get really good results when you use the the flash in your camera however this is something that will probably get noticed so when I did the last adjustments on my slides I saw that you could actually use the notification lamp and this gives us sufficient lighting to to get a really good picture of a fingerprint but of course we don't only have one camera in a phone yeah I also like that picture I had to include it normally most phones nowadays have at least two cameras and the camera that is in the front is getting better and better the iPhone has 1.2 megapixels something but there are phones such as the HTC Desire people want to do selfies that have a good resolution so this is something that we're going to see more and more it also has 13 megapixels and with a device like that we did a couple of more experiments and of course the question is where does that camera point and this is a nice zombie picture of a co-worker the camera is of course pointing at the face of the user and here I have some nice animations first time I ever used animations in my slides does anyone have an idea what I'm going for here no it's not about the it's not about the iris it's about the pupil because there's a reflection in the pupil the the screen of the phone is something that you can see as a reflection in the pupil and of course you can also see a silhouette of the finger and what is the finger touching is it's the pin pad so we tried that with a 13 megapixel camera and we the display was about 30 pixels wide in the picture so if you take that number pad with five keys you will get about six pixels per per key and this is more than sufficient to see which keys were pressed and get the pin that way so we did some experiments and tried that manually and tried to figure out the pin and we had a success rate of about 90 percent of the key presses we got right in the first attempt and the remaining 10 percent in the second attempt nice thing is that it's it's okay if you don't get it right in the first try because you have a number of attempts to to watch how the victim is entering the pin and when you enter the pin you also don't have to be correct in the first attempt so you have even if you fail the first time you will get it right in the second or third time so using that technique once you get access to the camera of the phone you can actually find out the pin of the user and this is not only something that works for a pin but also for passwords although it's it's maybe a little bit more difficult because here we have five keys keyboards usually have 10 keys next to each other so we get three pixels per key at last year ccs we had a talk someone had written a software to do something like that they also used data from the camera and analyzed the pictures and also had a look at the reflection of the keyboard in the in the eye and they had three pixels per key and they had a software that was able to make something out of that and this is for a smartphone i think of an ipad for example which is three times the size so it really shouldn't be a problem there well sometimes the user is also wearing a pair of glasses so this is our former secretary of defense this is of course an extreme example he has a very nice pair of glasses and with today's cameras you can you can almost read what's on the display and the nice thing is that the cameras are getting better and better so you without a doubt by this time next year you will probably be able to read whatever is on the display we already saw that picture and now let's have a look at the iris the problem is that well my co-worker he is he has dark brown eyes so for the first experiments that we did we actually had to look out for someone else so this is another co-worker of mine is kevin he also is will be holding a talk here i think tomorrow and what we did is again we we used the phone camera to to make these pictures and we printed these pictures and we held it against that device and can we can we show that the other camera please yeah all right so this is kevin and here is the device all right let's let's try if it works with a picture so apparently it is really sufficient to have a picture with a not that great resolution and print that on a 2000 dpi printer which is something that everyone has and the the the identification device is actually a high-end device we paid more than a thousand euros for that and it is used in in certain systems for access control in banks and so on but like i said until now this has only worked for people with brightly colored eyes but since i am working in in research and i'm teaching so we actually have to apply the scientific method here if we want to publish papers about that so we did some experiments at the icmp so let's uh let's take a step back we we took a camera just a regular camera camera from canon and we just took a serious pictures and we increased the distance we always took one picture then moved back one meter and took another picture and so on and we did this seven times and the picture is actually pretty good the basic idea is i wanted to figure out how many pixels do you really need in order to see something on the iris and next thing we did is we didn't take a normal camera but an infrared camera instead and an infrared camera is where the the detection of the iris works in the infrared spectrum because dark eyes are much better visible here and the resolution and the structures are are much much better when you look at it in the infrared spectrum so when you look at this closely it looks slightly different so if i had made a print of my eyes it didn't work with kevin's eyes so we kind of went through the to the infrared picture and this picture right here the iris has is 75 pixels wide so the distance uh the distance from from the person that we took the photo of was uh was about six and a half meters so you will need an infrared camera for dark eyes but there are also cameras that have a special mode for for night shots or what you can also do is you can just take a camera apart and remove the infrared filter and that will also help so and if you do that you can do the same thing for dark eyes an extreme example we have a co-worker who is from india he has really really dark eyes you can barely see a thing but even if we took a picture where the iris was 75 pixels wide we were able to fool that device so uh basically iris detection is something that is really broken by now just wait that was always uh with the laboratory conditions but what you did now we tried it in public not in laboratory and what's better than doing the experiment with the politicians with the chancellor we were in contact with journalists with two photographs who did it for us same camera that we use on the icmp in this case slightly better objective 400 objective with the next tender it's a bit more expensive it costs 10 000 euro but this picture was taken from the distance of five meters and the iris had a diameter of 110 pixels so we were far away from the 75 pixels so we could still slightly sense the distance 10 meters absolutely possible the structures were visible very fine Michael Leek had the idea let's look for high resolution pictures like election posters when they are really big they have a really good resolution so chancellor Merkel gave her iris for free willingly with a diameter of 175 pixels did you have a look and red eyes so obviously they they did something with the photograph or they gave the chancellor two days of sleep to recover face recognition well i didn't want to talk about this but a while ago with my ex-colleague i made a nice video that i simply want to show you in this case it's about face recognition is a photograph sufficient or is a mobile phone photograph sufficient will work with a black-white photograph so can so i think it cannot be regarded as secure any longer the difficulty was the live recognition so seeing whether it's a photo or a living object this is my ex-colleague this way with the camera right now test before the blinking starts the the living recognition so what what we did then was we didn't need a video we simply needed a pen wait a second now he recognized the face now we take this pen here at the second attempt it actually worked what should i say now let's talk about the fingers the same that we did for the iris and what we did with the cameras laying on the tabletop we did with the fingers and we tried to take photos of fingerprints and we record the distance and we checked whether they are still recognizable or not what we did then was we tried to see how they look like the picture on the left was taken from the distance of three meters the right picture was taken from seven meters distance you see the difference the two meter picture has good resolution it works fine and it was the blueprint for the for the fingerprint now what i want to to show you is how to teach the system this to the fingerprint i have to start this virtual machine before so this is my um digit index finger when it tried at the beginning of the show it didn't work let's see you see you don't really see how hard i have to work to make this work usually we took glue but as you can see now it works nice usually we took glue but it takes too much time it breaks rather so you can't use it after a short distance of time so that what we then took was latex milk it's also available in skin color so you can make something that rather much looks like a finger let's continue with the keynote so that's where we left as i said we checked up to which width is still makes sense because we tried it a couple of minutes ago with the infrared camera and we simply checked how these fingerprints look like in infrared light so the picture that you can see here looks like pictures that are taken from three distance and you still can take a fingerprint from that so the picture that you just saw had a diameter of 150 pixels and had which is like a distance of five meters so with the infrared camera you can can make make a copy from six meters distance so this was with the laboratory conditions and now with real life conditions in this case it was the first picture that we had and it simply was that perfect with the name readable at the bottom and with the thumbs up they was taken on a press conference with a 200 objective three meter distance so if you extrapolate it there is still space left and as you can see the picture has some but well it's it may be quite usable so you can post processes and you could fill the gaps so we took a couple of pictures so theoretically it would be possible to make a big fingerprint for that and a colleague of mine actually tried this with a couple of pictures to glue them together but when i ran some tests well i didn't succeed but then the congress started and finally said well i can't take your picture sorry about that so but you can imagine taking a couple of pictures and while overlapping them then you can fill the gaps that you can see here and in the result the picture might be quite usable the main problem here was the depth resolution so light conditions are not that critical and especially if you take the infrared light but death resolution is the problem what can we do there there's this brand new technology that is called neutro a light feed camera so these cameras don't actually take a photograph on the film but they instead they take a picture that more or less looks like a 3d picture and you can decide which layer you want to have in good resolution which not so this is quite fine if you have to work with different layers so this led to the next steps that i'd like to work on i think there is still left left room for improvement so the focus of these of these cameras is quite good so the pictures might be quite usable and i think we can do still do a lot with that like we have just seen you see him cancel miracle standing like this and you know why and no you know why and i would just show you a video because i was quite fast i did not do this last time what you have to do to get a fingerprint of an iphone you enter the pin and normally you would just do a normal fingerprint on the iphone in this case he i just used it normally and it's not as optimal but it's good for normal use to get a picture so yeah then we scan it it's a little bit more high resolution than a normal scanner we bought that for a science project we did the pictures scanned in black and white and that's the original what you get from the scanner and you invert it so you have a blueprint and then we inverted to made a print from it then we printed on a normal overhead file that's normally a paper what you use for um sorry you put um photo this is basically a process that is used um in order to make electronic components and you can do it in your kitchen if you want so everything that i show here uh is something that you can do at home with uh with things that you have in your household so this is the the fingerprint that we have we've gotten and we put a little graphite graphite spray on that and it's also it's a conductor of electric current so the the sensor that the that is built into the iphone can easily be fooled with uh uh with this copy of the fingerprint it's a little bit difficult peeling it off but now we have a very nice artificial fingerprint so this is my real finger here so there was this site that was called uh touch id hacked yet the first one to hack the touch id was uh would get a number of bitcoins or something so that's why we paid attention to this video being a very high quality video so this is my finger this is my original finger it works perfectly and next to me my co-worker he is using the fake fingerprint it doesn't work in the first try it doesn't work in the second try but after the third try he gets access to my iphone and as you could see it did not work with his real finger without the the fake fingerprint it wasn't a perfect perfect day where we published this it was election day basically and as i said we were expecting to have a little bit of fun for the iphone for maybe a number of weeks but we had broken it after two days and so we we actually published the information at six in the evening on election day and we got a lot of heat for that but i talked to a number of people and they said they expected us to basically work for maybe a two months on this project but there you go all right so that was really it okay we have a lot of time for questions so if anyone has questions we have six mics in the room yeah hey starbucks you spoke from the lightro's spectrum camera probably you did not uh it is not needed because in all the hack moves you can use uh it's basically a customized firmware that you can put on your normal camera it's mostly used for for doing macro photos but you can also use this for this purpose can you use the front camera to get the the thumb of it right in the corner problem is that the camera is not able to get a clear picture because the thumb is so close to it so you have to have about 10 centimeters distance from the camera to the thumb so that's basically why we decided to go with our solution there may be special cases where using the front camera would work but it's more difficult do we have a question from our signal initial from the isio twitter yeah the internet wants to know if you can use for the reproduction of biometric material well if you if you touch your passport with your fingers you will leave the same fingerprints as on any other object but other than that uh it's it's a perfect because essentially what's on that uh electronic document is pictures of your fingerprints uh the difference is that these pictures are encrypted and it's not that easy to get the key to decrypt those so i'm pretty sure that it would work but um we haven't tried it out and uh our solution seemed to make more sense for us i have a short question if the slider online yes we will make these slides available um later after this presentation there also so hand scans the scans that actually take pictures of your veins as they as the blood flows through them um this is something i wanted to do but i wasn't able to do it in the last few weeks there are a number of things that we have tried out but it wasn't ready to do in a presentation but one thing that we did because we already had this infrared camera we took very nice pictures of of the veins under your skin so i'm not sure if everyone's aware of how these things work they're basically using infrared light to make a picture through the through the skin and apparently blood absorbs a light of a certain wavelength so the veins will actually look black on the picture and the veins are one of the very few um biometric um identification attributes that you cannot simply take a picture of but with an infrared camera and a nice infrared infrared flashlight um these are pretty powerful and we have done a number of experiments uh and you can actually see the veins pretty nicely on the picture so um stay tuned um this is something that we will research actually just only a short question how much have you worked with compressions for the iris pictures um you print out the picture for the iris and when do you reach the boundaries of jpegs compressions well we didn't use 1200 hang on we did use a 600 dpi printer that was didn't work too well when the resolution of your picture is reduced by half um it's still worked in in a good number of cases there were some cases where it didn't work but with half the resolution uh it was also very usable but it's i mean it's not necessary we are talking about uh 75 pixels and uh this is not a problem for for for a good camera and i see would like to see the zoom to the iris because that was not possible to see in the stream okay we have this nice picture here and we also have this nice picture it was especially about the picture um with uh where we recognize the keys on the keypad so this must be this is taking with a front camera of a phone so if we actually zoom in here you can uh i think it's this uh well visible and this is just uh a little thing that we cut off the picture and we made it bigger and i will make these slides available online and there's no question and and if there's a club where you can learn how to um learn how to make fake fingerprints well i'm not going to go into details about the political or uh legal implications but um it's obvious that you can use these fake fingerprints to uh basically put anyone's fingerprints on a weapon or a gun for example or on an atm machine or wherever you want and you you know what i mean um what technique have you used or what software um to extract the black and white pictures from the photos you have taken uh this an sdk which is called very a finger um long time ago it was free and i'm still using it i think you can buy it for a couple of hundred euros um earlier today i saw an article um on the website of german newspaper at each site and i think they had a link where you can purchase this software it's something that you don't really need you can use for example gimp to do it or you can do it manually but it's good to get a first draft basically of your of the fingerprint and then you just put the the original picture and that picture on top of each other and then you can just uh redraw the lines and that might be a knife question and every fingerprint is unique so you have worked with one from ten so to make it really objective you would need a bigger sample yes that is correct so well at least in the case of miss funderline miss miracle we focused on one single finger because when you when you're talking to these persons your best bet is go for the fun um you can think of other opportunities such as when something simple as when they are waving or giving a thumbs up or something and holding her hand on the camera it's easy to imagine that you can take good pictures of the other fingers as well yeah i have a question to the technique you have used for biometrical identification that is used in train stations and it's less the iris or the fingerprint it's more like the distance between the eyes and the mouse mouth spacing and the second question would be how could you protect yourself from from that so you don't get recognized by a metric identification process you can try to conceal your face a couple of years ago that i was dealing with face recognition in public places and they had this very nice example uh those uh those people who were wearing thick glasses were often confused by the software because it was focusing on the thick framed glasses and the the face recognition software usually works by taking the distance between the eyes and then uses that as a base in order to uh i think uh it's a spacing of 30 pixels that is needed well one thing you can do to protect yourself is for example if if you have to give someone your photo you can for example move your eyes together so that you will actually reduce the distance between your pupils and if the picture is distorted in any way or if you are wearing a hat or a fake beard or glasses this makes it harder for the software and there are a number of websites that deal with that i have seen pictures of people with a third eye that they had painted on their face so there are actually some sites that can give you makeup tips which you can use to to defeat or to basically to avoid being recognized by face recognition software okay we have learned that biometric identification is a stupid idea but um so maybe a pin well wear gloves then yeah i still have the problem that when i enter the pin that you can see what i'm typing through my iris how can i protect myself from that well close your eyes while you're typing counter measures we haven't really uh put a lot of thought into that the easiest thing is probably to cover the lens of the camera and that way you can avoid that the camera takes pictures of you without you knowing do we have something give me a second do you have any experience with a fingerprint door openers yeah they're all crap i haven't seen a single uh mechanism that you couldn't break easily the one that required the most work from us was probably the iphone because the sensor has a fairly high resolution but even the new devices that are used at borders for example they also measure the conductivity of a finger but it was even with these devices it was fairly easy to construct a fake fingerprint and the same fake fingers fingerprints that i used to build seven or eight years ago still work for these devices i wanted to ask two questions first if there is with the fingerprint with the principle of finger print of taking a fingerprint uh if it's enough if you use graphite with the glue because if you have if you were in gloves um why when you're handling um the um the phone um so why does it doesn't bug it um when there's something not uh conducting between the thumb and and the phone well the black thing that dummy that we used this was the thing that the system recognized as my thumb so also from the print because the phone is uh does not react to the picture of of the thumb also from the um electricity that is being conducted well in the case of the iphone i think they are somehow projecting an hf field into the finger and this gets reflected and it measures the reflection but like i just said the system with the graphite and all that um was able to defeat the system and it it fooled the system with a high success rate so apparently the the reflection must have looked uh for the system must have looked like real finger and i hope that was understandable otherwise we can talk about this after after the presentation i photographic note to the uh hydroponos because i think it's a bad idea because they um achieve their focusing qualities with uh lightning direction well what's interesting is that the resolution doesn't play such a big role a couple of hundred tpi is uh or the older iPhones have even less than that it's sufficient but the nice thing about the biometrics is for example with the fingerprints if you if you press harder with your thumb the the lines will be further apart so there has to be some sort of tolerance here so it's not actually a problem if there's a couple of percent uh tolerance in in our picture that solution problem can be solved by simply making it a bit darker uh so so possibly by by by making the liking conditions a bit better uh um you can solve this problem and you can um rent objective for a couple of days so um you don't have to make this big investment okay simple question may ngo's record um these these biometric um items from politicians and other people but what do you think our former secretary of the interior mr schoibl said that he's fine with it but it's an interesting question so uh if your point of view is that these are this is personally identifiable information uh then of course the data that is in your passport uh has to be protected by the same law so my stance on that is let's just continue doing that and we'll see what happens let's see what there is a short question from the internet i see there was the question coming up whether this is from the alliance fingerprint will also be published like the fingerprint of mr schoibler um well um i would have done it but if we're gonna do it we're gonna do it right so with mr schoibler we we had to do some manual work and i wasn't able to do this in time for the congress but we are going to do that and of course everyone um if you are at an election party or something or see a politician somewhere take a photo of them when they're waving and doing this with their hands i have a guess why your uh copies will still work and um i think they they need some automated um quality assurance and they don't need someone waving her finger for quality assurance they also want to have dummies in in their um machines well yeah very nice maybe one thing um because the police is actually taking interest in detecting fakes uh because i think european countries are going to start taking the fingerprints of us citizens and this is uh not a nice thing for for spies because it could happen that the fingerprints are certainly um contributed to another person a question from the rc about the indirect reflections what will happen if i enter my pin at the atm and someone is standing behind me but it's not then he's not looking at me but you have a reflection in his glasses well have a look at ccs paper paper from 2013 from uh mr xu that's xu they are dealing with that topic and they did some experiments they put a cup of coffee somewhere and they were taking a picture and uh they could see the reflection of the eye in the coffee pot and they did stuff like that so there's an actual an actual danger there once the resolution of the camera reaches a certain quality this becomes a problem i have a question about the photograph fingerprints so a finger shortly had the glass direct in front of him but the photograph of from the line so you don't know uh on from the photograph how big a finger actually is so does it make a play a role well yeah that's correct i mean it does play a role to a certain extent but the systems have a lot of flexibility when it comes to the size and uh and on top of that fingers usually don't have huge size differences i think we were able to enlarge it or shrink it by up to 20 percent and the system what still recognizes so there's actually a good level of tolerance and if in doubt just find a picture where she has for example she's wearing a rolex and you know the size of the watch and then you can defer the size of the thumb how about videos did you try extract fingerprints from videos well i'm actually i'm not supposed to uh to tell you this but because in scientific circles it's when you're writing a paper you shouldn't talk about the things that you're doing in your paper on a conference and that's that's why i'm only going to say 4k porn so the question was whether it's possible to extract fingerprints from 3k 4k videos no further comments on that just a short remark and you can buy a 50 25 your camera for the Raspberry Pi and you can do take infrared normal photographs with it very good thanks