It's official. Security researchers Nick DePetrillo and Robert Graham have confirmed Germany-based Chaos Computer Club (CCC) hackers’ claim that they bypassed the fingerprint reader in Apple's iPhone 5s, called "Touch ID".
There was nothing fancy about this hack. As the CCC explained, "First, the fingerprint of the enrolled user is photographed with 2400 [dots per inch] DPI resolution. The resulting image is cleaned up, inverted, and laser printed with 1200 DPI onto a transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist, and then placed onto the sensor to unlock the phone."
That's it. No fancy magical hacker tricks. No cyber-ninja stealth entry into Apple's headquarters at 1 Infinite Loop in Cupertino, CA. Simply the same-old kitchen-sink technology that's been used to break fingerprint scanners for years.
For accomplishing this, Starbug, the first hacker to show off the method has been awarded more than $11,000 and other swag. including bottles of alcohol, a portrait, a book of erotica, and a free patent application. Not bad!
DePetrillo and Graham had been sure that the iPhone 5s’ fingerprint scanner could be breached. What surprised them was how easy it was. Graham wrote, "We claimed it'd be harder. We assumed that a higher resolution sensor wouldn't be so simply defeated with just a higher resolution camera. We bet money. We lost (and Starbug of the CCC won)."
Graham continued, "Many people claim this hack is 'too much trouble.' This is profoundly wrong. Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband. Or the neighbor's kid. Or an FBI agent. … This sort of stuff is easy, easy, easy -- you just need to try."
That said, this "doesn't mean Touch ID is completely useless." wrote Graham. "Half the population doesn't lock their phone at all because it's too much trouble entering a 4 digit PIN every time they want to use it. If any of them choose to use Touch ID security instead of no security, then it's a win for security."
Just keep in mind that if your job requires you to be secure on your phone, the iPhone 5s’ Touch ID isn't the fail-proof security method that you might have thought it would be.
- Hackers claim first iPhone 5s’ fingerprint reader bypass; bounty founder awaiting verification
- Hackers crowdfund bounty to hack iPhone 5s fingerprint scanner
- Apple provides details on Touch ID's privacy features
- Apple's Touch ID doesn't match enterprise security's fingerprint
- Apple's Touch ID: A game changer?