The Touch ID fingerprint scanner featured in the new Apple (NASDAQ:AAPL) iPhone 5s may not be an impenetrable security barrier after all, if the claims of a group of German hackers, which says it has cracked the biometric security system by using a photo of the original user’s fingerprint, are proven accurate.
The hackers’ group, known as Chaos Computing Club, or CCC, said in a post on its website that it had successfully bypassed Apple’s Touch ID fingerprint scanner by “using easy everyday means,” just two days after the device was released on Friday.
“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided,” a post on the CCC website said.
Apple’s fingerprint-scanning technology was supposedly more secure than previous offerings of its kind and there have been many claims that the new technology used by the iPhone-maker could be hard to break. But, according to the hackers, the iPhone 5s’ Touch ID is only a higher-resolution version of existing sensors, meaning the technology can be hacked by using common fingerprint-lifting techniques.
“In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake," a CCC hacker nicknamed Starbug, said. “Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
The process, which is outlined here, needs a high-resolution 2400 dpi photo of a user's fingerprint, which needs to be lifted from a glass surface using graphite dust or cyanoacrylate. The resulting image is then cleaned up and inverted with photo-editing software, and then laser-printed at 1200 dpi onto a transparent sheet.
After a hard copy of the fingerprint is obtained, pink latex milk or white wood glue is applied to the printout. Once that sets, the thin latex sheet can be lifted, breathed on to produce a thin coating of moisture, and then placed onto the sensor to unlock the iPhone.
Here is a video, demonstrating the Touch ID hack:
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, Frank Rieger, a spokesperson for the CCC, said. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
Last week, an independent security researcher called Nick Depetrillo attempted to crowdfund a reward that would be offered to the first person to hack the Touch ID fingerprint scanner on the iPhone 5s. Depetrillo said that he had reviewed the information on the CCC website, but wanted more documentation.
“We are simply awaiting a full video documentation and walk through of the process that they have claimed,” Reuters quoted DePetrillo as saying. “When they deliver that video we will review it.”
At the time of writing this article, the total bounty had climbed to more than $13,000. However, it is still unclear whether the CCC hackers would get the full amount, if they are declared as the winners.
It is worth mentioning here that I/O Capital, a micro-venture capital firm, which offered to pay $10,000 of the reward, said, in a press release on Sunday, that it would choose the winner of the contest on its own.
Meanwhile, other security experts have praised CCC’s work, saying that the hack is "a complete break" of Touch ID security.
“I think it's legit,” Dino Dai Zovi,” co-author of the iOS Hacker's Handbook, told Reuters. “The CCC doesn't fool around or over-hype, especially when they are trying to make a political point.”