Bypassing Apple TouchID child's play, hacker says

Bypassing Apple TouchID child's play, hacker says

Summary: According to the hacker that broke into Apple's biometric security on the iPhone 5s, circumventing the system was "no challenge at all."

SHARE:
TOPICS: Security, Apple, iPhone
37
upload-spinner1-620x390
Credit: Apple

When Apple unveiled the iPhone 5s, a smartphone which includes fingerprint recognition technology to boost security and encourage consumers to lock their devices, the debate raged over whether biometric technology was secure and reliable enough for public consumption.

Only days after launch, a German hacking group claimed they had broken the TouchID security measures. The Chaos Computer Club (CCC) posted a video to YouTube which documented how TouchID was circumvented.

One hacker, nicknamed Starbug, ran the experiments, and after successfully breaking through security, wrote:

"In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

On its website, Apple says that the biometric technology provides “a very high level of security,” and security researcher Marc Rogers from Lookout remained a fan. The security expert devised his own way of breaking into the system, and explained the method in a blog post, saying:

"Yes, TouchID has flaws, and yes, it's possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial. Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician."

Together with 48 hours it seems, if you are up to the same level as Starbug.

Following the successful hack, Starbug spoke to Ars Technica about how the system was so quickly bypassed. In an email, the German hacker said:

"It was way easier than expected. I thought it would take at least a week and some fancy chip/bus hacking."

Starbug hacked the biometric system "because he could," and while critical of advertisements that deem the technology safe, the hacker says that compared to the use of no safety PIN codes, the quicker lock-system is more efficient. In addition, Starbug says that Apple knew TouchID would be hacked eventually, and the use of biometrics to recognize people "is problematic."

It took Starbug nearly 30 hours to create a bypass that was reliable, but "with better preparation it would have taken approximately half an hour."

"I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it," Starbug told Ars. "I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial."

Far from being "anything but trivial," as Rogers believes, the hacker says that breaking into TouchID can be done at home with inexpensive office equipment such as an image scanner, laser printer and PCB etching kit -- and would only take a few hours.

Starbug may have been left disappointed over how easy the hack was, but he hasn't been left unrewarded for his efforts. The crowdfunded hacking competition to break through TouchID, hosted on istouchidhackedyet.com, has granted him thousands of dollars, wine, bourbon, bitcoins and an iPhone 5c to enjoy.

Topics: Security, Apple, iPhone

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

37 comments
Log in or register to join the discussion
  • Yeah ya know

    I mean, once a person steals your phone, where are they going to get your finger print??? I mean it isn't like you touch the phone anyplace else right? =D
    slickjim
    • Actually...

      Despite what Starbug says, the security features on the iPhone make it a bit more secure than he claims. First off, have you tried getting a high definition fingerprint off of someone's smartphone? I know I rarely ever place my fingers in a way that would leave a full finger print and even then it is quickly removed by the swipes and taps I use to control my phone.

      Even if the do manage to get your finger print they then have to have access to your phone. Once you detect it's stolen you can just wipe it from iCloud.com. If they turn off your phone then Touch ID isn't accessible until the pass code is entered at least once. And if you are worrying about airplane mode just disable control center and Siri access from the lock screen. All in all, the security features apple has added to its phones make them pretty secure devices.

      Typos by iPhone
      Grammar fails by me.
      Armand Choy
      • @Armand Choy

        If some one gains access to your phone and you 'detected' that your phone is stolen, iCloud is the only way. But you can do it even without biometric sensor buddy. iCloud can be used even when you use pin on your iPhone. So your point regarding what if some one gains access to your iPhone is moot.

        Second, Mr. Starbug's method is difficult. True. But he is not the best out there. He is the first to break into biometric. More will follow buddy. iPhone is not just a cheap phone, you know. It worth a lot.

        Last, but not the least. iCloud is a good solution if you lost your phone. But imagine how much it will be helpful if the thief takes it to a place without internet(3G/LTE). Then he will have all the time in the world to break into your phone. Best solution: Don't lose your phone; gesture based unlock is far secure than fingerprint sensor.
        spicycheeks
        • I agree

          As others have said, a 5 digit pin is actually twice as secure.

          Maybe Apple should make any access 2 factor if the device hasn't been successfully unlocked within 60 minutes... Then the idea of creating a good finger print is gone because you'll also need the pin and will never know if one works without the other.
          slickjim
        • iCloud isn't all that great of a solution

          because it doesn't completely brick the phone, it can go through a hard reset and be used. Only BlackBerry has a solution that allows the phone to be completely bricked upon theft, something that hard reset can do absolutely nothing about.
          Jacob VanWagoner
          • No one has hacked the iCloud solution yet.

            It will happen, but an iPhone is worth less in parts than it is as a phone.

            However, you need to take security precautions to make iCloud viable, in the form of device restrictions. Also, unless a specific phone is targeted for corporate or government espionage, most iPhone thieves won't mess with the fingerprint thing.
            Champ_Kind
          • Read up on iOS7

            They changed how the Hard Reset, etc is handled.
            Johnpford
      • seriously???

        Dude, the screen isn't the only place you touch your phone! And high def? Really??? It is not impossible once you have the image.
        slickjim
  • OK, now let's see him spread a worm with it

    ...um, yeah. I thought so.
    Mac_PC_FenceSitter
    • How is that relevent?

      The point of bypassing log in security is to get access to your data, or to make purchases with your credit information.

      Your analogy is like saying 'Sure you can break into my house - but can you blow up a satellite once you're in my house?'
      The Werewolf!
  • There will be solutions...

    It won't be long before we'll see screen covers and cases made with materials that won't hold a fingerprint. Besides, this is still too difficult for most people.

    Remember in The Godfather when Climenza wraps the handle and trigger of the gun Michael used to kill the Turk and the crooked cop with some sort of tape so his fingerprints wouldn't be on it? Plus, if you really need to add another level security, add a passcode. You also have Find My Phone, and remote wipe. Seems more secure than most of what's out there to me.
    gtdworak
  • silly apple

    the rest of the world ditched fingerprints 5 years ago, and they think it's some great new tech

    What's next apple? You claim you just invented the wheel...err iWheel?
    everss02
    • Ok Mr Negative...

      What elegant solution would you suggest? Are you saying you'd rather enter a code every time your phone rings? Does any other phone use Touch ID that's as dependable and responsive as what's on the iPhone? Are you familiar with remote wipe and Find My Phone? Tell us of this other great phone that does all of this, and does it better than Apple.
      gtdworak
      • OOOOhhhh... You're smart...

        What phone is it that makes you enter the pass code every time it rings again? What's that? None of them? Hmmm...

        Does any other phone need touch ID? Nope.

        Remote wipe and find my iPhone are nifty... Assuming you realize that your phone has been stolen within seconds of it happening and immediately run to the nearest computer to track it down / wipe it.

        The reality is that most people will spend hours / days looking for it before it occurs to them to do that. Plenty of time for a thief to unlock your phone and change your password.

        Why would any other phone want to do this better than apple? Why would any other phone want to do this at all?
        mrefuman
        • Dude, just get a BlackBerry

          if you are concerned about phone theft. Call customer service and they can PIN Block your phone, making it 100% useless to the thief no matter what they try to do to it. Sure, they might (within a few hours) correctly guess your password, but the main reason most thugs steal a phone isn't to get data from it, it's to have a piece of hardware that you can use personally or sell for cash. PIN block capability makes it a waste of time to steal a phone.
          Jacob VanWagoner
          • or..

            The company can just go bankrupt or their data service can go down an brick all of the phones. Sorry, I just could resist.
            Johnpford
    • it did?

      Because I can't remember ever seeing a biometric phone before.
      Mac_PC_FenceSitter
      • 2011-

        Motorola Atrix
        ccramos
      • Hmm

        Just because you don't remember it doesn't mean it didn't exist.

        Reality is, this tech is better for 2 factor authentication so, you have to consider that it can be used to make the phone more secure but, it should not be stand alone technology.
        slickjim
      • Actually...

        There have been several Windows CE based phones with a fingerprint reader - made by the same company that makes Apple's reader, as a matter of fact (Authentec). And as others have noted, the Motorola Atrix had it as well.
        The Werewolf!