German Hacker Group Says It’s Broken The iPhone’s TouchID Fingerprint Reader
konknaijaboy | On 24, Sep 2013
For a few German hackers, breaking Apple’s much-hyped fingerprint reader seems to have been little more than a one-weekend project.
On Sunday, the Berlin-based hacker group known as the Chaos Computer Club–and more specifically a member of the group who goes by the name Starbug–announced that they’ve managed to crack the iPhone 5s’s fingerprint reader just two days after it was released.
“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID,” reads the announcement on the CCC’s website. “This demonstrates – again – that fingerprint biometrics is unsuitable as [an] access control method and should be avoided.”
In the YouTube video posted along with their announcement, (above) a CCC hacker demonstrates that he or she can register an index finger on the phone, and then, by covering the same hand’s middle finger with piece of latex with the spoofed index finger print, access the phone in seconds.
Here’s the group’s step-by-step description of how their spoofed fingerprint trick works:
First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
The CCC takes the opportunity to puncture the “bogus speculation about the marvels of the new technology and how hard to defeat it is,” and writes that this process differs only slightly from a method Starbug posted nearly ten years ago. The only difference, according to Starbug, is the relatively high resolution image that Apple’s reader requires.
I’ve contacted Apple for their thoughts on the CCC TouchID hack, and I’ll update this post if I hear from the company. I’ve also reached out the CCC for more information about how their hack works.
Since Wednesday night, hackers have been pooling together nearly $20,000 in cash pledges and donations in the cryptocurrency Bitcoin, along other items like bottles of whiskey and wine, as a reward for the first individual to successfully hack TouchID and prove it in a video. On the websiteIsTouchIDHackedYet.com, the status shifted Sunday from “No!,” to “Maybe!” Security researcher Robert David Graham, one of the creators of that bounty project, says he’s currently communicating with CCC hackers to confirm that their trick works and falls within the county’s rules–specifically that a finger from a person other than the phone’s owner rather than just a different finger from the same person can be used to break TouchID.
Update: Starbug has uploaded another video showing that the trick also works with another person’s finger wearing the latex spoofed fingerprint:
Update 2: And now IsTouchIDHackedYet.com has declared the hack official. Although one major bounty donor seems to have reneged, the reward for hacking TouchID stands at close to $10,000, which will go to Starbug.
Knowing the CCC, which has a reputation as one of the oldest and most well-respected group of hackers and security researchers in the world, this is likely a legitimate hack, and proves that the security community has been wise tocaution against blindly turning off the iPhone’s passcode protections in favor of an untested security feature, and one where the biometric data needed to crack the phone–unlike a PIN–is largely unchangeable and stored on a phone’s glass surface after every touch if the user isn’t careful to wipe it away.
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics,” writes CCC spokesperson Frank Rieger. “It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token.”
The fingerprint hack isn’t the first to afflict the new iPhone and its operating system, iOS 7. Over the last week, other iPhone users have demonstrated that iOS 7′s lockscreen can be bypassed with far simpler tricks, including one that offers access to the phone’s photos and all their associated sharing functionsincluding the user’s email, Twitter, Facebook and Flickr, and another hack that allows phone calls to be made using a locked phone’s emergency call function.
Apple has promised to fix both of those bugs in upcoming software updates. The TouchID hack will no doubt be much harder to patch.
In the meantime, read the CCC’s full announcement on its TouchID hack here.