Apple iPhone fingerprint reader confirmed as easy to hack

So much for Apple's newest security trick. Alas, it seems that an old way of beating fingerprint scanners works on the new iPhones too.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

It's official. Security researchers Nick DePetrillo and Robert Graham have confirmed Germany-based Chaos Computer Club (CCC) hackers’ claim that they bypassed the fingerprint reader in Apple's iPhone 5s, called "Touch ID".

Apple's iPhone 5s Touch ID
Apple iPhone 5s Touch ID fingerprint scanner isn't really all that secure after all. (Credit: Apple)

There was nothing fancy about this hack. As the CCC explained, "First, the fingerprint of the enrolled user is photographed with 2400 [dots per inch] DPI resolution. The resulting image is cleaned up, inverted, and laser printed with 1200 DPI onto a transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist, and then placed onto the sensor to unlock the phone."

That's it. No fancy magical hacker tricks. No cyber-ninja stealth entry into Apple's headquarters at 1 Infinite Loop in Cupertino, CA. Simply the same-old kitchen-sink technology that's been used to break fingerprint scanners for years.

For accomplishing this, Starbug, the first hacker to show off the method has been awarded more than $11,000 and other swag. including bottles of alcohol, a portrait, a book of erotica, and a free patent application. Not bad!

DePetrillo and Graham had been sure that the iPhone 5s’ fingerprint scanner could be breached. What surprised them was how easy it was. Graham wrote, "We claimed it'd be harder. We assumed that a higher resolution sensor wouldn't be so simply defeated with just a higher resolution camera. We bet money. We lost (and Starbug of the CCC won)."

Graham continued, "Many people claim this hack is 'too much trouble.' This is profoundly wrong. Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband. Or the neighbor's kid. Or an FBI agent. … This sort of stuff is easy, easy, easy -- you just need to try."

That said, this "doesn't mean Touch ID is completely useless." wrote Graham. "Half the population doesn't lock their phone at all because it's too much trouble entering a 4 digit PIN every time they want to use it. If any of them choose to use Touch ID security instead of no security, then it's a win for security."

Just keep in mind that if your job requires you to be secure on your phone, the iPhone 5s’ Touch ID isn't the fail-proof security method that you might have thought it would be.

Related Stories:

Editorial standards