Apple iPhone fingerprint reader confirmed as easy to hack

Apple iPhone fingerprint reader confirmed as easy to hack

Summary: So much for Apple's newest security trick. Alas, it seems that an old way of beating fingerprint scanners works on the new iPhones too.

SHARE:
TOPICS: Security, Apple, iPhone
33

It's official. Security researchers Nick DePetrillo and Robert Graham have confirmed Germany-based Chaos Computer Club (CCC) hackers’ claim that they bypassed the fingerprint reader in Apple's iPhone 5s, called "Touch ID".

Apple's iPhone 5s Touch ID
Apple iPhone 5s Touch ID fingerprint scanner isn't really all that secure after all. (Credit: Apple)

There was nothing fancy about this hack. As the CCC explained, "First, the fingerprint of the enrolled user is photographed with 2400 [dots per inch] DPI resolution. The resulting image is cleaned up, inverted, and laser printed with 1200 DPI onto a transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist, and then placed onto the sensor to unlock the phone."

That's it. No fancy magical hacker tricks. No cyber-ninja stealth entry into Apple's headquarters at 1 Infinite Loop in Cupertino, CA. Simply the same-old kitchen-sink technology that's been used to break fingerprint scanners for years.

For accomplishing this, Starbug, the first hacker to show off the method has been awarded more than $11,000 and other swag. including bottles of alcohol, a portrait, a book of erotica, and a free patent application. Not bad!

DePetrillo and Graham had been sure that the iPhone 5s’ fingerprint scanner could be breached. What surprised them was how easy it was. Graham wrote, "We claimed it'd be harder. We assumed that a higher resolution sensor wouldn't be so simply defeated with just a higher resolution camera. We bet money. We lost (and Starbug of the CCC won)."

Graham continued, "Many people claim this hack is 'too much trouble.' This is profoundly wrong. Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband. Or the neighbor's kid. Or an FBI agent. … This sort of stuff is easy, easy, easy -- you just need to try."

That said, this "doesn't mean Touch ID is completely useless." wrote Graham. "Half the population doesn't lock their phone at all because it's too much trouble entering a 4 digit PIN every time they want to use it. If any of them choose to use Touch ID security instead of no security, then it's a win for security."

Just keep in mind that if your job requires you to be secure on your phone, the iPhone 5s’ Touch ID isn't the fail-proof security method that you might have thought it would be.

Related Stories:

Topics: Security, Apple, iPhone

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • Great! So in other words

    all you have to do before (or after) you find or steal the phone is to get the owner to allow you to photograph his finger to bypass the security.

    Sounds pretty straight forward if you ask me...
    William Farrel
    • How many fingerprints do you think are on the phone itself?

      nt
      ye
      • None that are good enough for the scanner

        While you may leave greasy fingerprints on the phone, chances are they are all smudged sufficiently to thwart any photography and cleanup that would fool the scanner.

        Yes, it can be defeated, but it is impractical to do so.
        Cynical99
        • Keep thinking that

          Right now security conscious individuals and businesses are going "WTH!?!".
          Wonder who is being replaced next at Apple?
          What do you want to bet they have an upgrade / update of some kind before it comes out on the iPads?
          rhonin
          • I'll tell you what

            put a couple nice clean fingerprints on your phone and photograph them, clean them up, and post them somewhere for all to see your masterpiece of clandestine operations.

            Not up to the challenge? Didn't think so.

            If you've ever worked with finger print experts, you'll find prints rarely exist in a perfectly clean state but only bits and pieces are usually available because everyone smudges everything.

            The method is sufficient to thwart the average thief that steals a phone hoping to turn a quick buck or to keep the kids out.

            After all, what level of security are you really after for your phone?

            With your lame comments, it seems you want perfection, which the only way to achieve that is to disconnect the phone from the network, and lock it in a safe, and possibly destroy the battery. Perfect security. Of course, the device is perfectly useless.

            A security professional you aren't
            Cynical99
      • Fingerprints on the phone

        "Fingerprint-resistant oleophobic coating" is used on the iPhone since the 3GS model.
        danbi
    • Clickbait.

      Good point but they'd have to photograph all ten fingers. Which one opens the phone? Who knows?
      dolph0291
      • dolph0291

        Great point!

        No one said you had to use your finger. Any body part will do.
        TimeForAChangeToBetter
    • Nope, don't need the owner

      The fingerprint can be easily lifted. See this video demo:
      http://youtu.be/HM8b8d8kSNQ
      Marc-LI
      • Not hardly

        the person hacking the phone had a pre-prepared print ready and waiting. You can't tell how much effort went into making that little printed paper he used.

        At least understand the process a thief must follow to get a copy of your print. This video shows someone with prepared tools with their own fingerprint used to hack the iPhone.

        Are you really that foolish?
        Cynical99
  • One possible method to 'harden' this security method is to

    Use a finger that one rarely would expect to come in contact with the iPhone. I call this method the "Pinky". Seriously. Very Big Grin.

    Let me explain the "Pinky".

    I'm right handed. When using my iPhone 5, I hold the phone in my right hand. My left hand rarely comes in contact with my iPhone. If I had the iPhone 5s, I would use my left hand "pinky" finger as my Touch ID sensor fingerprint. After unlocking the phone, I would simply smear the home button with my right hand thumb (a natural action).

    Eureka! Besides, even Captain Picard sips his Earl Grey properly with his pinky finger avoiding contact with his tea cup. Grin.
    kenosha77a
    • Good idea but

      That's a great idea (and totally true,) but it defeats the purpose of the fingerprint sensor which is convenience. I don't know if anyone was under the illusion that the fingerprint reader was foolproof or terribly secure, but that it offers a very convenient way to secure your phone without changing your behavior of pressing the home button with your thumb.

      This may be a "simple" bypass, but you need a good clean fingerprint to start with. I expect you'll only see this effort employed by law enforcement when they have you locked up and want access to your phone.

      If you want your phone to be secure, set a 10 character password and don't use the fingerprint. But if you do that, then chances are you'll just disable the feature out of inconvenience.
      RF9
      • taylor@...

        " I don't know if anyone was under the illusion that the fingerprint reader was foolproof or terribly secure, "

        Only the Windows Fanbois and Android Fanbois are making it out to be fool proof. It gives them more of a reason to hate anything not made by Microsoft or Google.
        TimeForAChangeToBetter
        • To Be Fair...

          ...the "Perfect Apple" narrative is an invention of the lazy tech press, and has been used now almost daily because they are bored with the "Apple is on top of the world" narrative and desperately want something scandalous to write about.

          So in lieu of the actual failure of Apple, the tech press and the Wall St propaganda arm of the financial press have just gone ahead and invented scandal out of whole cloth.
          His_Shadow
  • All in all, the fingerprint scanner is at least equal to most other

    methods. The hassle of obtaining a usable fingerprint, photographing it, cleaning it up, printing it on appropriate paper and then finally opening the phone seems a bit much even for a $500 device.

    While no method is foolproof, this seems sufficient for the device it is intended to protect.
    Cynical99
  • Not that big a deal…

    As I pointed out yesterday, it seems when reporting on this the full story of how the security works is left out. Either because people don't do their research, or they like ti incite the hate wars against a particular provider.

    If 48 hours go by after the last use of TouchID, it disables itself. It then reverts to the passcode you are required to enter when enabling the feature. Additionally, rebooting the device also disables TouchID and then requires the passcode. Also, if the user initiates a remote wipe, the attached apple account needs to be verified in order to reactivate the phone.

    So… TouchID is a good thing. Its way better then not having a passcode, and way more convenient then entering it all the time. If someone picks up or steals your phone they're not going to be able to "hack" the TouchID before one of the other security features kick in. Most likely if someone is stealing your phone, they will shut it off to prevent being tracked, which will disable TouchID. If they don't shut it off, and you report it stolen and initiate a wipe, then it will require the apple account.

    Ok so someone with a bunch of equipment and a lot of time on their ands and the ability to pull a really good print off something can hack the TouchID. If someone sitting next to you at starbucks has a very expensive looking piece of equipment and asks to see your hand, walk away :P

    (its also doubtful that a smudged print from the phone would be good enough to do the same trick.. considering they are taking a 2400dpi picture directly of the "live" print)
    tk_77
    • So Sad

      Just another feature for enterprise to shut off.
      If this was hacked so quickly using old school tech, this means we will highly likely see other methods - newer tech - in the foreseeable future. With all the "experts" in biometric security, I wonder why Apple went this route.
      I think this will end up in the Apple "gimmick" heap.
      rhonin
      • It just may wind up on the scrap heap

        But IMHO it was about "convenience" why Apple went with it. If you can make some security convenient such that people will actually use it it will be far better than none because you made it too difficult to use. And rest assured what IT geeks think is "easy enough" bears absolutely no resemblance to what end users consider is "easy enough" such that they will use it and not look elsewhere. And this is really casual security we are talking about, not high level security.

        It may work, and if it does others manufacturers and Apple will devote additional resources towards improving it accuracy and "security" in the future. Or it may flop in which case it will die a quiet death and not appear in future iPhone releases.
        oncall
      • Dumbass

        That you think having a copy of the fingerprint used to secure the device then being used to unlock the device is a "hack" you are a dumbass.
        His_Shadow
    • Why steal the phone?

      If they are after the data, then they would get your fingerprint from a glass etc. and then sneak access to the phone when you aren't around, offload the data they want and put it back where they found it. You'd never know.

      It makes it harder for casual thieves, but for the private investigator, FBI etc. as mentioned in the article, they want the data, not the phone, so they want access to the phone when you don't have it on you (in a locker at a gym or pool, left on your office desk etc.) to extract any incriminating data they need.
      wright_is