When Apple unveiled the iPhone 5s, a smartphone which includes fingerprint recognition technology to boost security and encourage consumers to lock their devices, the debate raged over whether biometric technology was secure and reliable enough for public consumption.
Only days after launch, a German hacking group claimed they had broken the TouchID security measures. The Chaos Computer Club (CCC) posted a video to YouTube which documented how TouchID was circumvented.
One hacker, nicknamed Starbug, ran the experiments, and after successfully breaking through security, wrote:
"In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
On its website, Apple says that the biometric technology provides “a very high level of security,” and security researcher Marc Rogers from Lookout remained a fan. The security expert devised his own way of breaking into the system, and explained the method in a blog post, saying:
"Yes, TouchID has flaws, and yes, it's possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial. Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician."
Together with 48 hours it seems, if you are up to the same level as Starbug.
Following the successful hack, Starbug spoke to Ars Technica about how the system was so quickly bypassed. In an email, the German hacker said:
"It was way easier than expected. I thought it would take at least a week and some fancy chip/bus hacking."
Starbug hacked the biometric system "because he could," and while critical of advertisements that deem the technology safe, the hacker says that compared to the use of no safety PIN codes, the quicker lock-system is more efficient. In addition, Starbug says that Apple knew TouchID would be hacked eventually, and the use of biometrics to recognize people "is problematic."
It took Starbug nearly 30 hours to create a bypass that was reliable, but "with better preparation it would have taken approximately half an hour."
"I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it," Starbug told Ars. "I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial."
Far from being "anything but trivial," as Rogers believes, the hacker says that breaking into TouchID can be done at home with inexpensive office equipment such as an image scanner, laser printer and PCB etching kit -- and would only take a few hours.
Starbug may have been left disappointed over how easy the hack was, but he hasn't been left unrewarded for his efforts. The crowdfunded hacking competition to break through TouchID, hosted on istouchidhackedyet.com, has granted him thousands of dollars, wine, bourbon, bitcoins and an iPhone 5c to enjoy.