Apple's Touch ID already bypassed with established 'fake finger' technique

Posted:
in iPhone edited January 2014
A hacker group in Germany claims to have defeated Apple's new Touch ID biometric security system by using a modified fingerprint lifting and "fake finger" creation technique.

Touch ID


In a post to its website on Sunday, the Chaos Computer Club claimed to have bypassed the iPhone 5s' Touch ID sensor hardware, just two days after the smartphone was released on Friday.

According to a detailed walkthrough of the bypass provided by the group's biometrics hacking team, the iPhone 5s' Touch ID hardware is, in effect, merely a higher resolution version of existing sensors. This means the system can be defeated using common fingerprint lifting techniques, albeit at a more refined level.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said a CCC hacker nicknamed Starbug. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

While the process is somewhat complex, the thinking behind it is straightforward. In this case, a high-resolution 2400 dpi photo of a user's fingerprint was harvested from a glass surface using graphite dust or cyanoacrylate (the main ingredient in Super Glue) and a camera. The resulting image was cleaned up and inverted with photo editing software, then laser printed at 1200 dpi onto a transparent sheet.

To create the fake fingerprint, pink latex milk or white wood glue is laid over the printout and allowed to set. Once cured, the dummy can be peeled off the transparency, breathed on to produce a thin layer of moisture, and applied to a finger. This will grant access to a Touch ID protected device, CCC claims.

A video of the unlocking process was uploaded to YouTube:



"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can?t change and that you leave everywhere every day as a security token", said CCC spokesman Frank Rieger. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."

It should be noted that Apple never claimed Touch ID was a new technology, nor did the company say the method was foolproof. As seen above, there are many caveats in the production of a "fake finger," from latent fingerprint quality to digitization and printing. In addition, a would-be thief would need access to the iPhone itself after the fake is produced.

Also not taken into account is Apple's Find My iPhone app, which allows a lost or stolen phone to be wiped remotely. This leaves the window for breaking into the 5s very small, and would likely thwart all but the most dedicated criminals.

Apple's Touch ID is the company's first attempt at including a biometric security method in its consumer products. The technology comes from AuthenTec, a biometrics firm specializing in fingerprint hardware, that Apple purchased in 2012 for $356 million.

The extent to which Apple plans to incorporate biometric technology is unclear, though as it stands, Touch ID is used to unlock the iPhone 5s and make iTunes purchases. Third parties do not have access to the sensor's API, but that may change if the tech becomes a larger part of the iOS ecosystem.
«13456717

Comments

  • Reply 1 of 330
    droidftwdroidftw Posts: 1,009member
    Anyone with a level head probably realized the TouchID system would be defeated in quick order. That said, it still may still prove to be an effective deterrent for crimes of opportunity (which I'd imagine most phone thefts are). Only time will tell.
  • Reply 2 of 330
    I'm pretty sure I don't recall Apple ever saying it was uncrackable. But it sure does beat havin to enter a PIN or password away too often.
  • Reply 3 of 330
    wingswings Posts: 261member
    By the time a thief steals my phone, and SOMEHOW also gets my fingerprint (OK, maybe there's one unsmudged print left on my phone, but odds are 1-in-10 that it's my recorded print), and scans it at 2400dpi, prints it with a good printer at very high resolution, puts a layer of latex over it and WAITS for that to dry, I will have already set a passcode and/or wiped the phone. Not to mention I have activation lock enabled so he (or anyone he sells it to) would need my passcode to activate it.

    Not worried. It's more than enough protection for little ole me.
  • Reply 4 of 330
    rogifanrogifan Posts: 10,669member
    Let me guess...this CCC outfit as an agenda and will use Apple to further it.
  • Reply 5 of 330
    Is there a complete video from beginning to end? Without seeing the steps involved it's kinda pointless.

    Anything can be hacked. It's whether the time and effort to perform the hack are worth the end result (getting access to a phone). Creating a fake finger to open a safe or get access to a secure area might be worthwhile. I really doubt anyone would go through the effort to get the data that's on your phone.
  • Reply 6 of 330
    And here we go, FingerGate begins ;)

    But seriously what's up with the SUBepidermal reading claims if this can be hacked with simple visual pattern scan?
  • Reply 7 of 330
    My front door lock can be picked. Guess I am foolish. Will leave my doors open from now on.
  • Reply 8 of 330
    This video is misleading.

    Assuming that the screen for setting up a second finger is the same as the first...

    1. Notice he doesn't try the middle (unlocking) finger FIRST, to show that it CANNOT unlock the phone by itself.
    2. Thus, the film he puts on his finger could be anything, because the middle finger could already be set up to unlock. The phone unlocks because it might already be set up.

    And that doesn't even address if it's possible to get a complete enough print on a phone surface to photograph at the 2400dpi. Doubtful.

    Way too much NOT shown in this clip.
  • Reply 9 of 330
    lkrupplkrupp Posts: 9,472member
    So which is easier to defeat and in how short a time?

    A four digit PIN that can be hacked relatively easily and fast?

    Or the Touch ID sensor... after going through the tedious process described by the hackers?

    I'll use the Touch ID because it's "secure enough" and easier than entering the PIN every time. This feature will become insanely popular for the general public and you can bet your paycheck the competition will follow suit. And when the competition follows suit you'll suddenly see all the "ha, ha, this is so easy to defeat" comments disappear into thin air. Why do we pay attention to anonymous tech types who make ridiculous statements about things they know little about, including some German with incredibly shaky hands.

    For the average Joe User, who would take the time to do this? I can see the police or government agencies doing it but the common thief who lifts your iPhone on the street?

    I really can't take seriously those who make a big deal out of these security hacks. In this day and age your only real protection is the safety of large numbers. Like a school of fish herded by Dolphins, your chances of actually getting eaten are small.
  • Reply 10 of 330

    crap! oh well, i can't say it was fun while it lasted because it hasn't lasted!!

  • Reply 11 of 330
    19831983 Posts: 1,224member
    Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't all that secure! Their finger-print sensor now is nothing more than a convenient way for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this. This is something they should of looked into before purchasing AuthenTec in the first place. I remember at the time it was a rather rushed purchase - they maybe paying the price for that now. I wonder how Apple's damage control is going to handle this?
  • Reply 12 of 330
    lkrupplkrupp Posts: 9,472member
    Quote:
    Originally Posted by jason98 View Post



    And here we go, FingerGate begins image



    But seriously what's up with the SUBepidermal reading claims if this can be hacked with simple visual pattern scan?

     

    Care to provide a link where Apple claims this? As far as I know this nonsense was pulled out of some anonymous ass.

  • Reply 13 of 330
    19831983 Posts: 1,224member
    Quote:
    Originally Posted by DroidFTW View Post



    Anyone with a level head probably realized the TouchID system would be defeated in quick order. That said, it still may still prove to be an effective deterrent for crimes of opportunity (which I'd imagine most phone thefts are). Only time will tell.

     

    Yes, but Apple wanted much more from this technology over the long run. That seems to be quashed now. 

  • Reply 14 of 330
    saareksaarek Posts: 1,321member
    If you're working for MI6 or something then I can understand the concern.

    For the average user this level if security is more than enough.

    The average thief will simply wipe your phone and try to resell it.
  • Reply 15 of 330
    gatorguygatorguy Posts: 23,176member
    Is there a complete video from beginning to end? Without seeing the steps involved it's kinda pointless.

    Anything can be hacked. It's whether the time and effort to perform the hack are worth the end result (getting access to a phone). Creating a fake finger to open a safe or get access to a secure area might be worthwhile. I really doubt anyone would go through the effort to get the data that's on your phone.

    In a recent article Mr Cook commented on iPhones being used for secure payments. In that case it could be worth the effort.
  • Reply 16 of 330
    I'll believe it when a random, unregistered person puts the "copied" fingerprint on their finger and bypasses the scanner.

    Till then stop drinking so much German dude. It's not even October.
  • Reply 17 of 330
    asciiascii Posts: 5,941member

    It's a bit disappointing that it was beaten with established techniques, I thought Authentec had something new, and Apple paid a lot for it.

  • Reply 18 of 330
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by 1983 View Post



    Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't secure! Their finger-print sensor now is just a convenient gimmick for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this! This is something they should of looked into before purchasing AuthenTec in the first place! I remember at the time it was a rather rushed purchase - they maybe paying the price for that now! I wonder how Apple's damage control is going to handle this?

     

    Yeah the damage is the headlines on tomorrow's front page. Almost no one's security will ever be exploited by this hack.

  • Reply 19 of 330
    1983 wrote: »
    Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't secure! Their finger-print sensor now is just a convenient gimmick for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this! This is something they should of looked into before purchasing AuthenTec in the first place! I remember at the time it was a rather rushed purchase - they maybe paying the price for that now! I wonder how Apple's damage control is going to handle this?

    I completely disagree with your assessment. If it is true (and based on my experience I think it is) that 50% of users include NO lock, this is many times more secure especially the true effort it takes to get around it. In no way does it support the claim from CCC: "Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
  • Reply 20 of 330
    This is a meaningless video. For this to be a verified crack of the Touch ID technology, the fake fingerprint should of been put on a person that wasn't the owner of the print. What verifiable means is there that the sensor didn't ready THROUGH the fake finger print to the persons finger.

    Until that happens I call this busted.
Sign In or Register to comment.