Apple's Touch ID already bypassed with established 'fake finger' technique
A hacker group in Germany claims to have defeated Apple's new Touch ID biometric security system by using a modified fingerprint lifting and "fake finger" creation technique.
In a post to its website on Sunday, the Chaos Computer Club claimed to have bypassed the iPhone 5s' Touch ID sensor hardware, just two days after the smartphone was released on Friday.
According to a detailed walkthrough of the bypass provided by the group's biometrics hacking team, the iPhone 5s' Touch ID hardware is, in effect, merely a higher resolution version of existing sensors. This means the system can be defeated using common fingerprint lifting techniques, albeit at a more refined level.
"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said a CCC hacker nicknamed Starbug. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
While the process is somewhat complex, the thinking behind it is straightforward. In this case, a high-resolution 2400 dpi photo of a user's fingerprint was harvested from a glass surface using graphite dust or cyanoacrylate (the main ingredient in Super Glue) and a camera. The resulting image was cleaned up and inverted with photo editing software, then laser printed at 1200 dpi onto a transparent sheet.
To create the fake fingerprint, pink latex milk or white wood glue is laid over the printout and allowed to set. Once cured, the dummy can be peeled off the transparency, breathed on to produce a thin layer of moisture, and applied to a finger. This will grant access to a Touch ID protected device, CCC claims.
A video of the unlocking process was uploaded to YouTube:
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can?t change and that you leave everywhere every day as a security token", said CCC spokesman Frank Rieger. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
It should be noted that Apple never claimed Touch ID was a new technology, nor did the company say the method was foolproof. As seen above, there are many caveats in the production of a "fake finger," from latent fingerprint quality to digitization and printing. In addition, a would-be thief would need access to the iPhone itself after the fake is produced.
Also not taken into account is Apple's Find My iPhone app, which allows a lost or stolen phone to be wiped remotely. This leaves the window for breaking into the 5s very small, and would likely thwart all but the most dedicated criminals.
Apple's Touch ID is the company's first attempt at including a biometric security method in its consumer products. The technology comes from AuthenTec, a biometrics firm specializing in fingerprint hardware, that Apple purchased in 2012 for $356 million.
The extent to which Apple plans to incorporate biometric technology is unclear, though as it stands, Touch ID is used to unlock the iPhone 5s and make iTunes purchases. Third parties do not have access to the sensor's API, but that may change if the tech becomes a larger part of the iOS ecosystem.
In a post to its website on Sunday, the Chaos Computer Club claimed to have bypassed the iPhone 5s' Touch ID sensor hardware, just two days after the smartphone was released on Friday.
According to a detailed walkthrough of the bypass provided by the group's biometrics hacking team, the iPhone 5s' Touch ID hardware is, in effect, merely a higher resolution version of existing sensors. This means the system can be defeated using common fingerprint lifting techniques, albeit at a more refined level.
"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said a CCC hacker nicknamed Starbug. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
While the process is somewhat complex, the thinking behind it is straightforward. In this case, a high-resolution 2400 dpi photo of a user's fingerprint was harvested from a glass surface using graphite dust or cyanoacrylate (the main ingredient in Super Glue) and a camera. The resulting image was cleaned up and inverted with photo editing software, then laser printed at 1200 dpi onto a transparent sheet.
To create the fake fingerprint, pink latex milk or white wood glue is laid over the printout and allowed to set. Once cured, the dummy can be peeled off the transparency, breathed on to produce a thin layer of moisture, and applied to a finger. This will grant access to a Touch ID protected device, CCC claims.
A video of the unlocking process was uploaded to YouTube:
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can?t change and that you leave everywhere every day as a security token", said CCC spokesman Frank Rieger. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
It should be noted that Apple never claimed Touch ID was a new technology, nor did the company say the method was foolproof. As seen above, there are many caveats in the production of a "fake finger," from latent fingerprint quality to digitization and printing. In addition, a would-be thief would need access to the iPhone itself after the fake is produced.
Also not taken into account is Apple's Find My iPhone app, which allows a lost or stolen phone to be wiped remotely. This leaves the window for breaking into the 5s very small, and would likely thwart all but the most dedicated criminals.
Apple's Touch ID is the company's first attempt at including a biometric security method in its consumer products. The technology comes from AuthenTec, a biometrics firm specializing in fingerprint hardware, that Apple purchased in 2012 for $356 million.
The extent to which Apple plans to incorporate biometric technology is unclear, though as it stands, Touch ID is used to unlock the iPhone 5s and make iTunes purchases. Third parties do not have access to the sensor's API, but that may change if the tech becomes a larger part of the iOS ecosystem.
Comments
Not worried. It's more than enough protection for little ole me.
Anything can be hacked. It's whether the time and effort to perform the hack are worth the end result (getting access to a phone). Creating a fake finger to open a safe or get access to a secure area might be worthwhile. I really doubt anyone would go through the effort to get the data that's on your phone.
But seriously what's up with the SUBepidermal reading claims if this can be hacked with simple visual pattern scan?
Assuming that the screen for setting up a second finger is the same as the first...
1. Notice he doesn't try the middle (unlocking) finger FIRST, to show that it CANNOT unlock the phone by itself.
2. Thus, the film he puts on his finger could be anything, because the middle finger could already be set up to unlock. The phone unlocks because it might already be set up.
And that doesn't even address if it's possible to get a complete enough print on a phone surface to photograph at the 2400dpi. Doubtful.
Way too much NOT shown in this clip.
A four digit PIN that can be hacked relatively easily and fast?
Or the Touch ID sensor... after going through the tedious process described by the hackers?
I'll use the Touch ID because it's "secure enough" and easier than entering the PIN every time. This feature will become insanely popular for the general public and you can bet your paycheck the competition will follow suit. And when the competition follows suit you'll suddenly see all the "ha, ha, this is so easy to defeat" comments disappear into thin air. Why do we pay attention to anonymous tech types who make ridiculous statements about things they know little about, including some German with incredibly shaky hands.
For the average Joe User, who would take the time to do this? I can see the police or government agencies doing it but the common thief who lifts your iPhone on the street?
I really can't take seriously those who make a big deal out of these security hacks. In this day and age your only real protection is the safety of large numbers. Like a school of fish herded by Dolphins, your chances of actually getting eaten are small.
crap! oh well, i can't say it was fun while it lasted because it hasn't lasted!!
And here we go, FingerGate begins
But seriously what's up with the SUBepidermal reading claims if this can be hacked with simple visual pattern scan?
Care to provide a link where Apple claims this? As far as I know this nonsense was pulled out of some anonymous ass.
Anyone with a level head probably realized the TouchID system would be defeated in quick order. That said, it still may still prove to be an effective deterrent for crimes of opportunity (which I'd imagine most phone thefts are). Only time will tell.
Yes, but Apple wanted much more from this technology over the long run. That seems to be quashed now.
For the average user this level if security is more than enough.
The average thief will simply wipe your phone and try to resell it.
In a recent article Mr Cook commented on iPhones being used for secure payments. In that case it could be worth the effort.
Till then stop drinking so much German dude. It's not even October.
It's a bit disappointing that it was beaten with established techniques, I thought Authentec had something new, and Apple paid a lot for it.
Cracked within a couple of days! This is not good for Apple, basically they've been promoting a security technology that it turns out, isn't secure! Their finger-print sensor now is just a convenient gimmick for unlocking an iPhone. I really hope they can fix it (doubtful) because the haters are going to be all over this! This is something they should of looked into before purchasing AuthenTec in the first place! I remember at the time it was a rather rushed purchase - they maybe paying the price for that now! I wonder how Apple's damage control is going to handle this?
Yeah the damage is the headlines on tomorrow's front page. Almost no one's security will ever be exploited by this hack.
I completely disagree with your assessment. If it is true (and based on my experience I think it is) that 50% of users include NO lock, this is many times more secure especially the true effort it takes to get around it. In no way does it support the claim from CCC: "Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
Until that happens I call this busted.