Hacker demonstrates how iPhone 5s’ Touch ID was bypassed, experts say ‘average consumer’ shouldn’t be worried

iphone5s_touchid_hero

Few days back, Chaos Computer Club (CCC) had revealed that they had managed to bypass iPhone 5s’ Touch ID fingerprint scanner by using a fake fingerprint.

Well-known German hacker Starbug has now published a video, which shows the entire process involved in creating the fake fingerprint.

Security expert Marc Rogers explains Starbug’s method:

Invert the print in software, and print it out onto transparency film using a laser printer set to maximum toner density. Then smear glue and glycerol on the ink side of the print and leave it to cure. Once dried you have a thin layer of rubbery dried glue that serves as your fake print.

Rogers says that he used the another technique to create the fake fingerprint to bypass iPhone 5s’ Touch ID:

In this technique, you take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called “etching” which washes away all of the exposed copper leaving behind a fingerprint mold. Smear glue over this and when it dries, you have a fake fingerprint.

touch-id-hacking-setup

Rogers points out that these flaws are not something an average consumer should be worried about as creating a fake fingerprint is anything but trivial and involves a lengthy process.

First you have to obtain a suitable print. A suitable print needs to be unsmudged  and be a complete print of the correct finger that unlocks a phone.

Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original.

It is not something an average street thief would be able to do as it uses over a thousand dollar worth of equipment including a high-resolution camera and laser printer. He also points out that you get only five attempts before Touch ID requires you to enter the passcode to unlock the device.

Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.

I was a little surprised that the Touch ID system could be bypassed by a fake fingerprint as Apple had mentioned that it takes a high-resolution image from the sub-epidermal layers of the skin, which I thought should have ideally rejected the fake fingerprint. Starbug suspects Apple chose usability and convenience over security. He told Ars Technica:

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

The Touch ID is nevertheless a very reliable fingerprint system. However, users should only consider it an increase in convenience and not security.

Rogers also agrees, he says Touch ID is not a strong security control as it has flaws, which can be used to unlock an iPhone. But he believes it’s more of a “convenient” security control and exciting step forward for smartphone security.

I think that’s a fair assessment, and not something that has me worried. What about you?