25 Comments

Summary:

The venerable Chaos Computer Club hacker collective claims to have bypassed Apple’s much-vaunted TouchID biometric security mechanism, as used in the new iPhone 5s. Here’s what they did, and what it means.

Apple iPhone 5S 3 colors
photo: Apple

Touch-what?

You know, the fingerprint sensor built into the Home button on the new iPhone 5s. It’s for unlocking the handset and buying stuff through iTunes and the App Store.

I thought the fingerprint was stored in some secure chip. How’d it get hacked?

It is, and this isn’t a hardcore technological hack so much as a good old-fashioned fake fingerprint technique. You find the iPhone owner’s print somewhere (the device itself may carry a few on its glossy surfaces), put some powder on it to make it more visible, then photograph or scan it at high resolution. Clean up the reversed image, print it at high resolution using thick ink, then use that to make a thin latex dummy, which you can put on your finger and use to unlock the iPhone.

I thought TouchID was supposed to be smarter than that.

Well it was, and I admit I’m a bit confused by what was revealed on the weekend.

A big selling point of the new generation of fingerprint readers, including that in the iPhone 5s, is that they don’t simply read the outer, dead layer of skin – instead, they use a radio frequency (RF) scanner to read a living layer of skin underneath. According to a Citeworld report, this assures the system that it’s dealing with a living finger, nixing both the old lift-a-print trick (see above) and the chop-off-some-poor-person’s-finger-to-unlock-their-phone trick.

But according to the Chaos Computer Club (CCC) and hacker Starbug, who claimed TouchID’s breakage on Sunday, “the marvels of the new technology” are less impressive than touted. Here’s what Starbug said in a statement:

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.”

If that’s correct – and it should be noted that Apple itself only talks about taking “a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin” in its online FAQ — then TouchID isn’t actually that good at making sure it’s dealing with a living finger. It appears that it can be fooled by, as Starbug describes, breathing on the latex sheet “to make it a tiny bit moist” before using it on the sensor.

“We’re quite surprised that it just works out of the box, the same attack that we published 10 years ago,” CCC spokesman Dirk Engling told me on Monday.

Noting that there are several ways of detecting living tissue — current flowing between the finger and device; minuscule changes in the fingerprint’s geometry to indicate a pulse — Engling suggested that Apple may have allowed the flaw when trying to balance security and ease of use. “In the end you have to shift the balance to more comfort, and that’s apparently what Apple did,” he said. “Out in the field, people would have problems unlocking their iPhones if they were to be too strict. This is a basic problem of biometrics.”

I’m waiting for Apple to comment on all this, and will add in the response as and when I get it.

Can we trust “Starbug”?

In the first of the two videos Starbug has published on YouTube, someone programs the iPhone with their index finger, then puts the latex sheet on another finger to unlock the device. In the second, a completely different person dons the sheet to fool the phone. It looks legit:

Starbug has been around for a while. Also, even though there’s a crowdfunded bug bounty out there for cracking TouchID, the CCC is Europe’s largest hacker organization and it has a reputation to uphold. I sincerely doubt anyone’s pranking the world on this one.

As an iPhone 5s user, should I be afraid?

Depends on the scenario you’ve got in your head. If it’s pickpocketing you’re worried about, then bear in mind that your iPhone is probably covered in your fingerprints. That said, making a fake print of the quality we’re talking about here is not trivial and it also takes a while, making it likely that the owner would just remotely wipe the device before anything can be accessed. So I guess it depends on the caliber of pickpocket, and their desire to do more than simply steal and sell the hardware.

If it’s muggers or overzealous law enforcement or border agents that you’re thinking about, then this “hack” doesn’t make a blind bit of difference. Merely having a biometric access mechanism makes it possible to grab your hand and use it to unlock the phone – much simpler than having to go through the tedious process of passcode extraction (or making fake prints).

The only real worry here relates to a more targeted attack, perhaps by a private investigator who’s after some juicy corporate secrets. If the victim’s fingerprint has already been lifted from somewhere – which any idiot with a degree of patience could achieve — and a corresponding latex sheet made, then a skilled pickpocket armed with that sheet could get very quick access indeed.

So…

So for most people this won’t be a problem. And indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.

But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.

This story was updated at 5.20am PT to include quotes from CCC spokesman Dirk Engling.

  1. Biometrics for security have existed for a long while now.

    In the case of a smartphone, something I know or something I have are way more sensible than something I am.

    Share
  2. I never touch my screen with my thumb, can they use an index finger print pulled from the screen to impersonate my thumb print?

    Share
    1. No – each fingerprint is unique.

      Share
  3. Daniël W. Crompton Monday, September 23, 2013

    Fingerprints only ever work in multiple factor authentication systems.

    Share
  4. The video is a proof of concept but note a lot of things would have to work perfectly for this spoof to succeed – you only have 5 tries to unlock the phone.

    It’s a little different when you’re trying this spoof over and over again on your own phone and you know the PIN.

    On a stolen phone after 5 tries you’d have lost your shot.

    Share
  5. Hoax. The testers have previously stored their real prints on the phone before using the fake finger. iPhone 5S can store 5 different prints.

    Share
    1. It might be a fake, but then they will have had to scanned the fake latex finger print and that points to it working with fake latex finger prints.

      Share
  6. “But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. ”

    I think the first part of your statement is too general and mis-leading… If the phone is using the simple 4 digit passcode, then the biometric access is better. Once you start using a passphrase type of password, then it would depend on the complexity of your passphrase as to which is easier to use in gaining access to the phone.

    Also keep in mind that the person breaking into the phone would have to accomplish this feat within the allowed passcode attempts set by the phone owner

    Share
    1. If the attacker has access to both your phone and you, biometric access is less secure, regardless of whether it’s being compared with a passcode or passphrase. No guesswork required – just take the finger and put it on the sensor. Same goes for the carefully preplanned attack of the type demonstrated by the CCC.

      But those are very specific circumstances, as I said. If the attacker doesn’t have physical access to your finger or has not been able to make a dummy off a lifted print, then sure, this kind of biometric access is more secure — in theory. Because as you say, there should only be a limited number of attempts available, which should eliminate the possibility of a brute force attack and make a well-chosen passcode good enough.

      At the end of the day, the biometric feature is primarily there to be more secure than nothing and easier to use than a passcode, while being no less secure than a passcode in all but very specific circumstances.

      Share
      1. Yeah, and keep in mind that even if a thief forces you to open your phone:

        A: they can do that even if you only use a password.
        B: they still can’t turn off or lock your phone without the password or fingerprint
        C: if they want you to change the password of fingerprint, they have to get you to do that for them, which takes time. Wasting time is bad for a thief, as it increases the chances that they’ll get caught.

        Share
  7. You seem to neglect in your article that there is a setting to add a passcode along with TouchID to unlock your iPhone. This is two level security for those that may require or desire greater security.

    Share
    1. That is a good point, and the more layers the better – though you have to accept the tradeoff in convenience.

      Share
  8. and then you make the latex mask and then you jump out of the window of the Burj al Arab in Dubai and then…. the guys in the white suits come for you.
    Your mission if you should accept it is to enjoy your new iPhone 5S.

    Share
  9. Just buy a Samsung. Crapple suck end of. Use last years technology, and all their little fanboy lapdogs will go rushing out for it.

    Share
    1. Uh, I wonder what markets SAmDung has created ( touch Screen phones, tablets)??
      What have they innovated except copy Apple and steal it’s intellectual property.
      Go play with your Android derivative crap

      Share
      1. So you’re saying that apple never copied Android? Have you even seen iOS7?

        Share
  10. Apple states that The Touch Id can ba hacked at a rate of 1/50000. Using a simple 4 digit passcode would be 1/10000 ( 10 x10x10x10). If you use the two togwether (passcode and Touch ID) it will be 1 in 500 million. I like those odds and if your phone information is that valuable then one should use both together.

    Share

Comments have been disabled for this post