Publisher’s Letter

By

striscia

Two days after getting my brand new iPhone 5s, the fingerprint scanner stopped working. I couldn’t believe it. The iPhone wouldn’t recognize my thumb print, no matter how I caressed its button. I tried training the system to recognize my other thumb and my two index fingers. That didn’t work either. The new iPhone’s marquee feature was already a write-off. “Just works,” my ass.

The iPhone’s hottest new feature is as reliable as my cat.

Then the news broke that the Chaos Computer Club in Germany announced that it had “hacked” the sensor with a photo of a fingerprint. At first glance, this story looked really bad. Some German anarchist coders had used a slight of hand to crack a “foolproof” biometrics system with a simple picture? Before the phone flew into our eager hands, everyone imagined that more elaborate methods would be needed to fool Touch ID, like hacking someone’s finger off. But a simple picture? It was the biggest story of the weekend: “Apple’s Touch ID hacked in less than 48 hours.”

But turns out the “hack” — which is more correctly called a “spoof” — was anything but simple. It was a multi-step process that required considerable skill, specialist equipment and almost 30 hours of hard work.

Firstly, a clear, un-smeared fingerprint has to be found. This looks easy on CSI, but is tricky in real life. The fingerprint has to be “lifted” using standard crime scene techniques: cyanoacrylate fumes, fingerprint powder and fingerprint tape. Not stuff you’re likely to have on hand, in other words.

The lifted print is photographed at very high resolution (~2,400 dpi) and cleaned up in software. It’s printed on transparent sheet at 1,200 dpi using a laser printer with the toner settings turned way up, to ensure the maximum amount of toner is deposited. This creates a mold. Liquid latex or wood glue is poured into the mold and carefully peeled off when it has cured. The hacker breathes onto the mold to make it warm and moist and then presses it against the sensor. This method is well-known in the biometrics world and has a long history of fooling many other fingerprint sensors on the market.

So should you be worried? Not at all. On one hand, Touch ID will *not* protect your iPhone against a determined hacker. If a crook has the time and resources to target you, steal your phone, lift your fingerprints and create phonies, the fingerprint sensor will not prevent them from gaining entry.

But the average opportunist who finds your iPhone on the bus? Rest assured, your phone is safe.

As for my non-functioning sensor, I just retrained the system. The problem was my dry, scaly hands. If all journalists have thick skins, mine is really something else. (When my hands get really bad, a steroid cream thins it down and curbs cracking and bleeding.) I’d been using the cream and my hands looked like Heidi Klum’s when I first got the phone. But over the weekend my hands dried out like SpongeBob in Sandy’s dome. By Sunday, the sensor wouldn’t recognize any of my fingers or thumbs. I tried licking them and moisturizing my thumb, to no avail. So I deleted the five finger/thumbprints I’d trained the system on and started again. No problem! Touch ID now works flawlessly.

I just have to keep the moisturizer handy if I want to unlock my digital life.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.