Blog Post

Here’s what you need to know about the Apple TouchID “hack”

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!


You know, the fingerprint sensor built into the Home button on the new iPhone(s aapl) 5s. It’s for unlocking the handset and buying stuff through iTunes and the App Store.

I thought the fingerprint was stored in some secure chip. How’d it get hacked?

It is, and this isn’t a hardcore technological hack so much as a good old-fashioned fake fingerprint technique. You find the iPhone owner’s print somewhere (the device itself may carry a few on its glossy surfaces), put some powder on it to make it more visible, then photograph or scan it at high resolution. Clean up the reversed image, print it at high resolution using thick ink, then use that to make a thin latex dummy, which you can put on your finger and use to unlock the iPhone.

I thought TouchID was supposed to be smarter than that.

Well it was, and I admit I’m a bit confused by what was revealed on the weekend.

A big selling point of the new generation of fingerprint readers, including that in the iPhone 5s, is that they don’t simply read the outer, dead layer of skin – instead, they use a radio frequency (RF) scanner to read a living layer of skin underneath. According to a Citeworld report, this assures the system that it’s dealing with a living finger, nixing both the old lift-a-print trick (see above) and the chop-off-some-poor-person’s-finger-to-unlock-their-phone trick.

But according to the Chaos Computer Club (CCC) and hacker Starbug, who claimed TouchID’s breakage on Sunday, “the marvels of the new technology” are less impressive than touted. Here’s what Starbug said in a statement:

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.”

If that’s correct – and it should be noted that Apple itself only talks about taking “a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin” in its online FAQ — then TouchID isn’t actually that good at making sure it’s dealing with a living finger. It appears that it can be fooled by, as Starbug describes, breathing on the latex sheet “to make it a tiny bit moist” before using it on the sensor.

“We’re quite surprised that it just works out of the box, the same attack that we published 10 years ago,” CCC spokesman Dirk Engling told me on Monday.

Noting that there are several ways of detecting living tissue — current flowing between the finger and device; minuscule changes in the fingerprint’s geometry to indicate a pulse — Engling suggested that Apple may have allowed the flaw when trying to balance security and ease of use. “In the end you have to shift the balance to more comfort, and that’s apparently what Apple did,” he said. “Out in the field, people would have problems unlocking their iPhones if they were to be too strict. This is a basic problem of biometrics.”

I’m waiting for Apple to comment on all this, and will add in the response as and when I get it.

Can we trust “Starbug”?

In the first of the two videos Starbug has published on YouTube(s goog), someone programs the iPhone with their index finger, then puts the latex sheet on another finger to unlock the device. In the second, a completely different person dons the sheet to fool the phone. It looks legit:

Starbug has been around for a while. Also, even though there’s a crowdfunded bug bounty out there for cracking TouchID, the CCC is Europe’s largest hacker organization and it has a reputation to uphold. I sincerely doubt anyone’s pranking the world on this one.

As an iPhone 5s user, should I be afraid?

Depends on the scenario you’ve got in your head. If it’s pickpocketing you’re worried about, then bear in mind that your iPhone is probably covered in your fingerprints. That said, making a fake print of the quality we’re talking about here is not trivial and it also takes a while, making it likely that the owner would just remotely wipe the device before anything can be accessed. So I guess it depends on the caliber of pickpocket, and their desire to do more than simply steal and sell the hardware.

If it’s muggers or overzealous law enforcement or border agents that you’re thinking about, then this “hack” doesn’t make a blind bit of difference. Merely having a biometric access mechanism makes it possible to grab your hand and use it to unlock the phone – much simpler than having to go through the tedious process of passcode extraction (or making fake prints).

The only real worry here relates to a more targeted attack, perhaps by a private investigator who’s after some juicy corporate secrets. If the victim’s fingerprint has already been lifted from somewhere – which any idiot with a degree of patience could achieve — and a corresponding latex sheet made, then a skilled pickpocket armed with that sheet could get very quick access indeed.


So for most people this won’t be a problem. And indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.

But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.

This story was updated at 5.20am PT to include quotes from CCC spokesman Dirk Engling.

25 Responses to “Here’s what you need to know about the Apple TouchID “hack””

  1. His Shadow

    The fact that the majority of the hack blogs that reported this used the terms hacked, cracked or broken is an indication of just how dense most of the people writing for tech blogs really are these days.

    If I have a high resolution copy of your house keys and use it to create a copy of your house key, I can get into your house. Thank you, Captain Obvious.

  2. Use your dominant hand pinky to log in. Your iPhone is far less likely to have a pinky smudge from your dominant hand. Or, use a textured leather case on your iPhone. It’s very difficult to pull a useable print. Lastly, this technique is rather complicated for the normal hacker. Unless James Bond is after your data, you’re unlikely to be the victim of this kind of fake finger hack.

  3. this is a stupid argument. biometrics can be hacked but who cares, you can take all of the fingerprints you want, but you still need that persons phone in your possession. hold onto your phone and you wont have a problem.

  4. yetanothersteve

    With only 5 attempts, if you want a little more security, use a non-obvious finger, perhaps one you never use on the screen. Also person lifting your fingerprint has a lot of complexity getting the correct finger. There are lots of prints of lots of fingers on your phone and they only have 5 shots!

    Faking your own fingerprint on your own phone is a proof of concept but not a real world scenario.

    Really depends on how valuable is your information. And if it’s really valuable then vigilence to notice when it’s been taken is a big piece of the security picture as well.

  5. Joe Liebman

    “But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. ” The flaw in your premise is that these certain circumstances require a lot of pre-planning and surveillance. Couldn’t the same resources be put into watching you type your passcode into the phone? Then you are in the same place as the finger print lifting without all the trouble of making a latex fingerprint and hoping it works in one of the first 5 attempts.

  6. The hack also assumes knowledge of which finger you use to unlock the phone.

    TouchID is meant for the masses, not James Bond. No one wants into my phone or the phone of anyone I know because of the content. Thieves want the phone to sell it for some quick cash. Turn on Find My Phone and the thief needs your AppleID and password to wipe the phone even after they break in with your fingerprint copy. The really great thing about TouchID is that people will actually use it because it is fast and simple.

    Even if they hoped to get some sort of banking info or other valuable data (which I don’t keep on the phone) they would probably have go online to use it at which point I’d wipe the phone with Find My Phone.

  7. Hiram Walker

    I don’t think that the market for Apple’s phone was supposed to be secret agents. People with enough time and resources can hack anything. This keeps your co-workers and acquaintances from reading your emails and avoids the hassle of entering a PIN every time you check your phone. Mission accomplished. Sorry James Bond, Ask Q to whip you up something special.

  8. dzoolander

    Apple states that The Touch Id can ba hacked at a rate of 1/50000. Using a simple 4 digit passcode would be 1/10000 ( 10 x10x10x10). If you use the two togwether (passcode and Touch ID) it will be 1 in 500 million. I like those odds and if your phone information is that valuable then one should use both together.

  9. mike sanders

    and then you make the latex mask and then you jump out of the window of the Burj al Arab in Dubai and then…. the guys in the white suits come for you.
    Your mission if you should accept it is to enjoy your new iPhone 5S.

  10. You seem to neglect in your article that there is a setting to add a passcode along with TouchID to unlock your iPhone. This is two level security for those that may require or desire greater security.

  11. “But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. ”

    I think the first part of your statement is too general and mis-leading… If the phone is using the simple 4 digit passcode, then the biometric access is better. Once you start using a passphrase type of password, then it would depend on the complexity of your passphrase as to which is easier to use in gaining access to the phone.

    Also keep in mind that the person breaking into the phone would have to accomplish this feat within the allowed passcode attempts set by the phone owner

    • David Meyer

      If the attacker has access to both your phone and you, biometric access is less secure, regardless of whether it’s being compared with a passcode or passphrase. No guesswork required – just take the finger and put it on the sensor. Same goes for the carefully preplanned attack of the type demonstrated by the CCC.

      But those are very specific circumstances, as I said. If the attacker doesn’t have physical access to your finger or has not been able to make a dummy off a lifted print, then sure, this kind of biometric access is more secure — in theory. Because as you say, there should only be a limited number of attempts available, which should eliminate the possibility of a brute force attack and make a well-chosen passcode good enough.

      At the end of the day, the biometric feature is primarily there to be more secure than nothing and easier to use than a passcode, while being no less secure than a passcode in all but very specific circumstances.

      • Zach Hoffman

        Yeah, and keep in mind that even if a thief forces you to open your phone:

        A: they can do that even if you only use a password.
        B: they still can’t turn off or lock your phone without the password or fingerprint
        C: if they want you to change the password of fingerprint, they have to get you to do that for them, which takes time. Wasting time is bad for a thief, as it increases the chances that they’ll get caught.

  12. The video is a proof of concept but note a lot of things would have to work perfectly for this spoof to succeed – you only have 5 tries to unlock the phone.

    It’s a little different when you’re trying this spoof over and over again on your own phone and you know the PIN.

    On a stolen phone after 5 tries you’d have lost your shot.