Dec 29, 2014 · 1 minute

Fears about the security of thumbprint scanners included in devices like the iPhone moved from theoretical nightmare to real-world threat over the weekend when a researcher showed his ability to replicate the prints to the Chaos Computer Club.

The researcher demonstrated the problem by recreating the fingerprint of German Defense Minister Ursula von der Leyen from public photographs and commercial software meant for "biometric systems developers and integrators" called VeriFinger.

It's not clear how this method of replicating a thumbprint is more dangerous than copying one from a surface touched by an attacker's target, but it does lend support to the idea that basic biometric security systems aren't as secure as, say, passwords.

I've been writing about those fears for some time. The first issue I noted was that it's much harder to change a compromised thumbprint than to change a password; once it's in someone else's hands (or on the tips of their thumbs) they're basically useless.

The use of an iPhone's thumbprint scanner might also be a problem for people who wish to prevent law enforcement from accessing their smartphone without a warrant. As I wrote when a judge said police could order suspects to use a thumbprint sensor:

The judge’s decision was based on the idea that 'giving police a fingerprint is akin to providing a DNA or handwriting sample or an actual key, which the law permits,' the Virginian-Pilot says in its report on the decision. This doesn’t mean that a suspect’s phone can be accessed with just a fingerprint — some software requires an additional passcode to be opened — but it does mean that an iPhone could be laid bare to law enforcement if its owner relies on its TouchID feature alone.
Now consumers must worry about a hacker gaining access to a stolen iPhone almost as much as they have to worry about police seeking access to the device and, maybe, I don't know, stealing images to share with their friends or make fake social accounts.

Biometric sensors are convenient, but they just aren't as secure as passcodes. Hopefully the methods shown to the Chaos Computer Club don't have to be used more widely for people to start thinking about whether or not they want to use Apple's TouchID.

[illustration by Brad Jonas for Pando]