One of the biggest features of the iPhone 5s is its Touch ID fingerprint sensor that makes it much easier to secure the device using the owner’s fingerprint for authentication. The fingerprint isn’t just used for unlocking your phone, but is even (optionally) tied to your iTunes account, which has your credit card information, so it becomes even more important for the Touch ID to function properly, and not allow unauthorised access.
The folks at Chaos Computer Club (CCC) have (fortunately or unfortunately) demoed that the Touch ID sensor can be successfully fooled into unlocking an iPhone 5s with just a photograph of the fingerprint tied to the device.
A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
Starbug has also created a YouTube video, embedded below, to demo the whole thing:
The fake finger was created using a 2400 dpi photograph of the fingerprint, which was then inverted and laser printed with a 1200dpi printer on a transparent sheet. Pink latex milk is then smeared onto the sheet, which picks up the printed pattern and can be used to defeat the Touch ID sensor. This technique has been used to defeat most fingerprint sensors, and not just Apple’s Touch ID.
The CCC’s spokesperson Frank Rieger added:
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
It could be argued that obtaining a photograph of your fingerprint isn’t very easy for a third-party, but that doesn’t take away the fact that the fingerprint sensor can’t differentiate a real fingerprint from a fake one. To Apple’s credit though, the “Secure enclave” where the iPhone stores the fingerprint information still remains secure.
Tell us what you think about the hack in the comments below. Will you be using the Touch ID for unlocking your device and authenticating your iTunes purchases? Do you think the Touch ID will be safer than a four-digit passcode?