A group of German hackers known as the Chaos Computer Club (CCC) have successfully cracked Touch ID, the fingerprint sensor used to secure Apple’s new iPhone 5s. The hack was announced just two days after the smartphone went on sale.
The group, known as the Chaos Computer Club (CCC), demonstrated on their blog that a fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID.
The print was first photographed with 2400 dpi resolution. The resulting image was then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue was smeared into the pattern created by the toner on the transparent sheet.
After it had set, the thin latex print was lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market, according to the CCC.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” said a Computer Club hacker known as Starbug. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
Apple’s own website describes individuals’ fingerprints as “one of the best passcodes in the world. It’s always with you, and no two are exactly alike”, noting that the Touch ID system can be used to “approve purchases from the iTunes Store, the App Store and the iBooks Store”.
Frank Rieger, spokesperson of the CCC said: ‘We hope that this finally puts to rest the illusions people have about fingerprint biometrics.
‘It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token.
The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.’
Security expert Graham Cluely added: ‘It’s worth remembering that fingerprints are not secrets. You literally leave them lying around everywhere you go, and they could be picked up by others.
Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect.’
A pair of security experts who set up a competition with a crowdsourced cash reward for the first individuals to hack Touch ID have said they are awaiting further information before confirming the method.
“We are simply awaiting a full video documentation and walk through of the process that they have claimed,” Nick DePetrillo, a mobile security researcher told Reuters, “When they deliver that video we will review it.”
Apple has yet to respond with comment.