Apple’s Touch ID fingerprint sensor, used to unlock the new iPhone 5S, can be tricked using a “fake finger,” according to a hacker group that claims to have broken the biometric security feature. If true, the hack undermines Apple’s assertions that Touch ID provides stronger security for iPhone users than the iPhone’s 4-digit pin lock – but don’t fret: Touch ID is still a valuable feature.
Before we get into why this isn’t that big of a deal, here’s how the anti-biometrics hacker group, Chaos Computer Club (CCC), successfully bypassed Touch ID, in their own words:
First, the fingerprint of the enroled (sic) user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
As you can see, the hack requires that whoever wants access to the device has the ability to take a high-resolution scan of the phone owner’s fingerprint, then print that out using a high-res scanner – not exactly an easy feat, or one that is easily repeatable in everyday life (as opposed to CCC’s intentional test of the security system, in which all parties were presumably complicit). Still, according to CCC spokesman Frank Rieger, the fact that this hack is possible should dispel “the illusions people have about fingerprint biometrics.”
“The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access,” he added.
While it is disappointing that someone was able to trick Touch ID using simple methods, there are a number of reasons to take this hack with a grain of salt.
First, the easy-to-use nature of Touch ID is sure to increase the number of iPhone owners who lock their devices. Before the release of the iPhone 5S, a mere 50 percent of users locked their devices at all. Now that Touch ID is an option, that number will almost certainly increase.
Second, the CCC hack, though doable, is still a giant pain in the ass. Most thieves, I’d guess, do not have the knowledge, skill, tools, patience, or wherewithal to recreate the CCC hack. So if you’re device gets stolen, Touch ID will still do its job just fine.
Third, Touch ID still provides ample protection from the people we most want to keep out: Snooping family member, roommates, co-workers, and other people close to us. On that front, it keeps people out better than the 4-digit pin without the minor hassle of entering the pin every time the device is used.
Finally, as it’s currently configured, it is still possible to access a locked iPhone 5S using only the 4-digit pin – just swipe the screen, and the 4-digit pin unlock option appears, no fingerprint needed. Apple can, presumably, add an option to iOS 7 that allows a user to require both the fingerprint scan and the 4-digit pin to unlock the device. Do that, and the CCC hack will no longer work. I’d guess Apple will release this option once more people have become comfortable with Touch ID.
There are other reasons to be concerned about Touch ID. Minnesota Democrat Sen. Al Franken recently detailed some of them in a letter about the feature to Apple CEO Tim Cook. But the CCC hack just isn’t something to lose sleep over.