TouchID Not As Secure As You Think

iPhone 5s Fingerprint

The new iPhone 5s was released and just a day and a half later, the Chaos Computer Club hackers were able to bypass the fingerprint bio-metric scanner TouchID.
Dan Riccio, Senior Vice President of Apple Hardware Engineering, stated, “you’re fingerprint is one of the best passwords in the world. It’s always with you, and no two are exactly alike.”

Even though that may be true on some levels, watch the following video and see just how easy and quickly the fingerprint security is setup and circumvented.

With the new iOS and hardware, you can use your fingerprint as the password to unlock your phone and it can be setup to enable your phone to authorize purchases through Apple stores for music, movies, TV series, applications, and books.  TouchID security is supposed to provide an accurate match and a very high level of security.

Unfortunately, the technique being used to bypass this security is a technique that has been around for quite some time and to date has never been resolved.  This process will work with almost every fingerprint scanner on the market.

Here are the steps to reproduce:

1 – photograph/scan the fingerprint from a glass surface at 2400 dpi resolution;
2 – digitally clean up the image;
3 – invert the image;
4 – print the image from a laser printer onto transparent sheet at 1200 dpi and thick toner setting;
5 – smear the following over the fingerprint on the print out – pink latex milk or white wood glue;
6 – let the latex or glue cure;
7 – lift the layer of latex off of the sheet;
8 – breath on the lifted latex in order to make it a bit moist;
9 – place the fingerprint onto the crystal sensor and unlock the phone.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics,” Chaos Computer Club spokesperson Frank Rieger said in a statement. “It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.”

US Sen. Al Franken said, “If someone hacks your password, you can change it — as many times as you want. You can’t change your fingerprints. … And you leave them on everything you touch; they are definitely not a secret.”

Interestingly enough, there was a $16,000+ bounty that was offered to the first person who could hack the fingerprint sensor. At the time the hacked information was released, it was not clear if the Chaos Computer Club had been given the reward.  stated they were still waiting on video evidence to review their process.  It has not been revealed they have, in fact, won the reward!

Leave a reply