iPhone 5s’ Touch ID fingerprint sensor has been Hacked using a copy of the original fingerprint

iphone 5s touch id

One of the biggest features of the iPhone 5s is its Touch ID fingerprint sensor that makes it much easier to secure the device using the owner’s fingerprint for authentication. The fingerprint isn’t just used for unlocking your phone, but is even (optionally) tied to your iTunes account, which has your credit card information, so it becomes even more important for the Touch ID to function properly, and not allow unauthorised access.

The folks at Chaos Computer Club (CCC) have (fortunately or unfortunately) demoed that the Touch ID sensor can be successfully fooled into unlocking an iPhone 5s with just a photograph of the fingerprint tied to the device.

From their site:

A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID.

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

Starbug has also created a YouTube video, embedded below, to demo the whole thing:

The fake finger was created using a 2400 dpi photograph of the fingerprint, which was then inverted and laser printed with a 1200dpi printer on a transparent sheet. Pink latex milk is then smeared onto the sheet, which picks up the printed pattern and can be used to defeat the Touch ID sensor. This technique has been used to defeat most fingerprint sensors, and not just Apple’s Touch ID.

The CCC’s spokesperson Frank Rieger added:

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

It could be argued that obtaining a photograph of your fingerprint isn’t very easy for a third-party, but that doesn’t take away the fact that the fingerprint sensor can’t differentiate a real fingerprint from a fake one. To Apple’s credit though, the “Secure enclave” where the iPhone stores the fingerprint information still remains secure.

Tell us what you think about the hack in the comments below. Will you be using the Touch ID for unlocking your device and authenticating your iTunes purchases? Do you think the Touch ID will be safer than a four-digit passcode?

Like this post? Share it!

Categories: iPhone 5s

  • Pacomacman

    Anything can be hacked, but who would want to go to these lengths. Where is someone going to et a 2400dpi image of your fingerprint in the first place?

    • barondebxl

      Exactly. Anything can be hacked. Of course ppl were going to try to hack the touch ID, everybody saw it coming.

    • JD

      yes this seems secure enough for a phone. if its lost or stolen they wouldnt be getting into the device using this method, so who cares.

      • Special Circumstances

        As CCC points out, your finger can be pressed on the phone by arresting officers. Also, your prints are ON THE PHONE, so if it gets stolen, the thieves can lift them from there.

        • JD

          what are you talking about? and it has already been clarified that you cant reverse engineer the fingerprint from the chip.

          • yuhating

            dude, he means he can get it from / on the phone! like the back or screen or somewhere!

          • JD

            you can get an finger print from someones phone yes….what does this have to do with the unlock of the device. the quality would obviously be too bad for the iphone, which is why they needed to go the route they did. A 2400 dpi picture of a finger pressed on a clear surface then printed on a 1200dpi printer.

          • Luigo Minotti

            cant enhance the resolution with photoshop (as Tsutomu Matsumoto did to fool 11 fingerprint systems in past)?

          • JD

            Don’t you think if that was that easy that would be getting demoed instead? That was over 10 years ago. As they stated this is the highest resolution sensor they have seen, and required a higher quality picture image.

          • donnykurnia

            The thief could just take the phone and chop of the owner’s finger. Really nothing you could do to prevent that coming…

        • Daniel Monroe

          It takes a wax (or other mold) impression for this to work… not a simple image of the fingerprint. Has anyone tried with a simple image of a fingerprint?

          • Montgomery

            The problem is: where are you going to get a picture of a fingerprint that isn’t smudged. Even when touching the phone or a glass, usually fingerprints get completely smudged.

    • AJ

      “WHERE IS SOMEONE GONNA GET A 2400DPI IMAGE OF YOUR FINGERPRINT IN THE FIRST PLACE???”

      from the phone itself OF COURSE, you might not want to call it a hack but being able to bypass the touch ID of a stolen phone with your fingerprint that IN WHICH the physical fingerprint happens to be on the physical phone itself because its been touched by the owners hand “obviously” is a huge security risk!!!!

      IN SUMMARY!!!

      IF YOURE A TEENAGER WHO JUST NEEEDS YOUR GIRL NOT TO GO ONTO THE PHONE!!! [NO BIG DEAL] THIS WONT AFFECT THEM IN THE LEAST BIT!!!

      IF YOURE AN EXECUTIVE WITH BUSINESS DATA THAT IF EXPOSED CAN GET YOU FIRED IF NOT WORSE!!! [THEN ITS A HUGE SECURITY RISK]

  • cloudshake

    LOL, the hand of that guy is shaking badly in that video…

    • Duston Foster

      I honestly was getting angry on how bad his hands were shaking ! Lol

      • yuhating

        he was excited. come on guys.

      • Daniel Monroe

        Come on guys! Hand shaking is totally normal for many people… it doesn’t take drugs, alcohol or any type of excitement to make my hands shake… it’s a genetic thing. Some people are lucky and have stable hands, others (like me) have to deal with shaky hands from the time they are born (not to mention how we have to endure your childish, naive and uninformed comments by people like you that shaky hands are something we should be embarrassed or ashamed of). In my case, I have nerve issues all up and down my extremities… why don’t you just start making more insults to half the population (not to mention the disabled)? How old are you guys? Please forgive me if you are a minor and simply just don’t know any better.

        • mehee

          Zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.

  • Richard Scott Reed

    Owner’s finger prints are easily lifted from phone screen itself as well…

  • CrashMatrix

    That German dude sure does shake a lot! lOl

    • hefl123

      It’s Oktoberfest!

  • 8lias

    By the time this CSI work is done, I’ve either located it, erased it, Activation Locked it, rendered it useless, etc. Even Fort Knox is breakable, the consequence vs. the benefit would have been too good to be achieved.

  • yuhating

    wasnt there a $15000 prize for this? hope they get it.

    • George

      Your dumb if your not sarcastic

      • Zero

        “You’re”

  • Deose

    Is this really “Hacking”? and for course if you have an exact replica of a finger print it is going to work. This shouldn’t be big news to anyone. It’s like in movies when bank robbers put fake fingerprints on so it doesn’t get traced back to them. If I were to cut someones finger off and use it to unlock their phone, would I be a “hacker” since I got around the system?

  • Alan

    In other news, keys can be copied with a low-resolution picture. People should stop using keys as well.

    • yuhating

      really stupid comment. i cant find a reason for you typing that!

      • Alan

        Cause I really don’t think this is hacking. Hacking would be if they could bypass it without the copy of the fingerprint. Touch ID can be fooled “Yes”, can be hacked, “Not Yet,” but won’t be surprised if it will be soon.

        • yuhating

          ok. that makes sense. it is not strictly hacking but even if it is unlikely someone could potentially get the phone and unlock it and access all your crap. but chances are very low. still something to be considered.

          • Alan

            That’s why I gave the example of the key. Isn’t there a similar risk. Someone can recreate your house key and break into your house.

          • Kevin Wickham

            They have to know where your house is… With your phone it doesn’t matter they have the credit card info and everything. It’s unlikely for a tiny operation to see it useful but an organized crime group would. It’s like stealing cars. Person steals cars and another cleans it up and sells.

          • mE.!

            and for Alan’s scenario they would have to know where your finger is. then fool you into letting someone take a close picture of each of your fingers. how is his example significantly different?

          • John

            They only need your fingerprint and it’ll befall over the phone.

        • Daniel Monroe

          The comment was totally pertinent. I don’t understand why you would think it was at all stupid. There couldn’t have been a better point made. Did you even think about what was meant by it? If not, let me help…. The whole world uses the ancient technology of keys and anyone that really wants to make a copy could easily do so if they have access to the original key for a few minutes. Anyways, a finger is a little harder to snag for any amount of time without the owner noticing to say the least. I would be interested in knowing if the Touch ID can be fooled by a simple fingerprint image someone lifted off a glass object or other type of fingerprint image lifting… then I would start to lose faith in Touch ID’s security… I’m pretty sure no one is ever going to be able to lift a wax impression of my finger or somehow “borrow” my finger without my noticing. I would say if you are that much in need of protecting your finger impression, be careful of handling too many candles in the future.

        • Reece

          I don’t think these individuals are grasping the issue.

          1. A house key can be copied like a finger print. If this happens the lock is replaced. If their finger print is imaged, people can not replace their finger and are therefore stuck with their unchangeable key.

          2. Hacking is doing anything with something that it was not originally meant to do.

          In conclusion. The Finger sensor has been hacked because it can be bypassed using something other than an original finger. Unlike a key code, the fingerprint can not be changed upon being compromised.

          (The reasonably simple method was to transfer a high res photo taken from a print left on a glass surface onto a thin film, then pressed against the sensor using a living finger on top.)

          This means all someone has to do is find a surface capable of leaving a print (there are a lot of shiny plastic and glass surfaces everywhere in day to day life that we all touch), take a nice high res photo (high res cameras aren’t too hard to get at all these days), steel the phone, transfer the print to a thin bit of film and press it with your own finger to unlock the phone.

          The owners unlock key is now compromised and stuck with them for the rest of their life. There is not much they can do to change there finger print unless they want to have laser surgery etc..

          A key code however does not get left everywhere that you go and can be changed virtually as many times as you like should it become known.

  • Glenn

    Am I missing something??? What did he prove? It would have been nice to see a more detailed video. How do I know the phone was not already unlocked?

    • yuhating

      why would they lie? i think their detailed description and the fact that they are the Chaos Computer Club (CCC) should tell you they wouldnt lie.

    • Luigo Minotti

      The techique is explained here, so it is possible to find out if it works.

      Morely it is explained the same technique has been adopted to “defeat most fingerprint sensors”. It means it is a common used technique to hack fingerprint reading seansors.

  • nik

    there is nothing that can’t be hacked, fingerprint sensor is just one step to higher security from another simple smartphone. not to say that its too complcated for a single thief to try to hack a fingerprint sensor

  • Solferico

    This is not something I should worry about. No one is going to go through all that effort to enter my phone. Maybe if I was Obama or 007 I should be worried

    • Luigo Minotti

      so you dont really need it ! :)

      • Abel Goddard

        Need is completely separate from want and usefulness.

      • Daniel Monroe

        I think that most people want it simply for the convenience of not having to swipe their finger or enter passwords all the time. Who really “needs” their iPhone in the first place? You all could do just fine with a simple $20 GoPhone with that type of mentality. When it comes to high tech gadgetry, WANT = NEED. Why the heck does “Need” come in to play with your comments towards others about how they spend their money? Dang I wish people were just plain smarter about how they speak to eachother. Maybe it’s just me?

  • Steve

    Unless you’re some military person with big secrets on your cellphone (which would be dumb anyways), I think using a persons fingerprint is more than ample security for a cellphone. How many people do you think are really worth taking the time to lift their fingerprint and recreate a digital copy of it just to get on their phone or to get their credit card info? A thief would have a lot easier of a time just stealing their wallet. Just cuz it’s possible to fool it doesn’t mean that it’s gonna really happen. This is ridiculous.

  • Luigo Minotti

    This technique requires the original hd finger print image in order to work properly.

    However it might be possible to access the stored information (or file) from the 5s memory (it seems it is stored in the A7 chip memory with encryption).
    I’m curious to find out if someone will hack it without any “original” fingerprint image in the next few days.

    Is this the reason why Senator Franken questioned Apple with an open letter?

    • JD

      It is possible, but that’s where the challenge comes. Touch ID doesn’t store any images of fingerprints, it
      stores a “mathematical representation” of the fingerprints created by Apple. That’s what apple challenged to everyone to crack. According to them it’s impossible to reverse engineer back into a fingerprint.

      • Luigo Minotti

        ok … i hope for them rey are right…however the technique adopted here was well known in 2002 (Tsutomu Matsumoto)…not so new!

  • Mike

    Why is that dudes hand so shakey? Lord knows I have the shakes from my excessive drinking but that guy looks like he has been on meth for a week!

    • Daniel Monroe

      BECAUSE HE IS HUMAN.

  • DasH0212

    So not secure anymore?

    • Luigo Minotti

      some websites claim this is not hacking … just fooling!
      However it seems it works!

  • Thatsgr8

    Oh that’s right. Note to self DON’T TAPE A COPY OF YOUR FINGERPRINT TO THE BACK OF TGE IPHONE. What a stupid article

  • Star Wars Dad

    What’s funny is people don’t seem to recognize that the best copy of that thumbprint is all over their touchscreen. Biometrics have always been a terrible idea.

  • Jeremy Taco Patterson

    If somebody wants to access my info bad enough to go through this level of trouble to steal my fingerprint and try to “build” my fingertip, then they can have it…. Good God…

  • Krumby

    nobody says how are you suposed to know which finger was used ? that is harder than anything to get

  • Krumby

    oops said

  • JohnDear

    Is this conclusive evidence? I would of liked to see him setup itouch first, and then have someone else lift his print and use it. Instead they have just shown setting up itouch and then using their own finger to bypass it.. Is this hacking???

  • Jon

    My question for authenticity would be, “what happened to the idea that it had to sense “live tissue?” No matter what resolution you’ve copied, latex is not live tissue. The video can appear to show the person actually going through the “set-up” process with their own finger, touching “something,” and proceeding to unlock the phone. Nothing else is shown, which is why we only ask that this be “verified in person” by anyone giving a reward. Yes, you can say that anything can be bypassed or even hacked, but this could be a mere illusion. Key phrase, “could be,” especially if its true that the reader needs to sense live tissue through the embedded RF sensors.

  • Kiwiholden

    That’s a HELL of a lot more work than just looking over a persons shoulder or usings a camera to get someone’s pin. So fine if you work with top secret stuff your better off changing your pin on the hour every hour but for me I’m more worried about a mate seeing my pin and texting people junk than making fake fingers

  • PimpDaddyWiteBoy

    i like how social engineering is deemed as hacking now-a-days

  • 919263

    This is just the tip of the iceberg…Watch “Titanic” / “Apple” go down…This is going to become a security headache..Defense Departments have started using iPhones..I dont see this as a feature, but as a bug…

    • Daniel Monroe

      You know, it only takes 10,000 tries to defeat the passcode system it replaces… any Defense Department would be comprised of idiots that didn’t realize this in the first place. NOT A BUG.

  • asdf

    This dude needs to lay off the drugs. His hands proves he does HEAVY drugs.

  • Joe

    The iPhone finger scanner measures finger capacitance that scans the unique signature of of a persons unique finger- the test lifted the print of one persons finger and used another finger of the same person! It’s not a good test the capacitance differences are too similar to be read differently. A simple preventive step could be to increase the sensitivity.

  • FLAWLESS

    Who cares. You guys are talking about technical stuff. NERDS!!!!!!!!!

  • Erik Stenson

    I will never use this or buy a phone with this. If everyone had this then phone thieves would also start stealing fingers. Plus now they are using this for payments too, not just unlocking. Also it is not secure, as was pointed out.