Hacking Group Bypasses iPhone 5s Touch ID With Lifted Fingerprint

Screen-Shot-2013-09-21-at-16.27.10-640x426

The Touch ID fingerprint sensor in the iPhone 5s has already been hacked—well, kind of. Over the weekend, a hacking team called the Chaos Computer Club (CCC) published a way to bypass Touch ID by replicating a lifted fingerprint.

Apple calls Touch ID “the most advanced hardware or software we’ve put in any device,” and the company believes the technology is the perfect replacement for a passcode. CCC disagrees.

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

What CCC had to do to bypass Touch ID is essentially create a fake finger out of latex.

First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

CCC positions its discovery as evidence that Apple’s Touch ID isn’t a better alternative to a 4-digit pin. Senator Al Franken recently voiced similar concerns in an open letter to the company. Apple’s argument is that the majority of iPhone users don’t put any passcodes on their iPhones to begin with, so Touch ID is intended to encourage security.

Sure, an elaborate process could theoretically be used to lift your fingerprint and get into your iPhone (assuming there’s physical access to your fingerprint and iPhone to begin with). But does that make it less secure than cracking a 4-digit pin? If someone is willing to go through this process to get into your iPhone, you’ve probably got bigger security issues to worry about.

Related
  • technochick

    I would be more impressed if someone who was not the owner of the phone was the one to give the phone ‘the finger’. just to show that there was no way that it was fooled by similarities in fingerprints from the same person.

    And if they showed that this whole thing could be done with basic household items and in under the 48 hours that locks the phone to the passcode by showing us the whole procedure in detail and real time. Because if it can’t be done in under 48 hours from the last time the owner unlocked the phone all the fake fingers in the world will be useless

  • Angeluskarl

    Is it me or is the guy some sort of junkie the amount he is shaking? How do we know the other finger isnt already set up?

  • Adrayven

    If you’re going to goto that kind of trouble, when your mugging them, just wait until they put there finger on the button first, then nab and run. pfffff.. lol

    Even then, most are not after the data, but the phone for resale market. Even if they were after the phone, the amount of effort you’d have to put into getting a good finger print read is crazy.

  • randy_khan

    In other words, to “hack” this system, you need to start with the finger of the person whose phone you want to use. If you have the finger, you don’t need to do the rest.

    And, honestly, I’m not interested in comparing this system to a theoretically perfect security system. I’m more interested in comparing it to what we have today, which for about half of all iPhone users is no security at all. If you can have access to the phone with your fingerprint (that is, more or less by pressing the home button), rather than remembering and entering a passcode, you’re more likely to use security in the first place.

  • TheMartinDobson

    THIS JUST IN!

    If someone is looking over your shoulder while you type in your passcode in iOS6, then THEY CAN UNLOCK AND STEAL YOUR PHONE!!!

    This might be a perfect time to panic!

  • marcomeneghello

    Just register two fingers and BOOM! Do the magic!

  • Bear

    Well, there go my plans to store the nuclear launch codes on my phone.

  • azntaiji

    Wouldn’t Two-Step Verification requiring both a fingerprint and passcode be a solution to this, for people that have extreme security concerns?

About the author

Alex HeathAlex Heath has been a staff writer at Cult of Mac for three years. He is also a co-host of the CultCast. He has been quoted by places like the BBC, KRON 4 News, and books like "ICONIC: A Photographic Tribute to Apple Innovation." If you want to pitch a story, share a tip, or just get in touch, additional contact information is available on his personal site. Twitter always works too. All DMs excepted.

(sorry, you need Javascript to see this e-mail address)| Read more posts by .

Posted in News | Tagged: |