IPhone Fingerprint Sensor Cracked, Researchers Call Tech "Plain Stupid"
September 23, 2013 1:01 PM
comment(s) - last by
Chaos Computer Club unlocks iPhones with high resolution-image based tactic, points out legal dangers
For iPhone owners that use the fingerprint sensor as a password, be aware that it's pretty much useless from a security perspective. It turns out that as with past inexpensive fingerprint readers, the system could easily be tricked by showing it a photograph of the target's fingerprint.
A site sponsored a crowd-funded competition to see who could be the first to crack the security feature found on the new Apple, Inc. (
. The prize -- which
included a pledge of $10,000 USD from a Chicago-based venture capital fund
-- attracted a lot of attention.
I. CCC Makes Short Work of Apple's Supposedly Secure Sensor
It appears that the first group to successfully circumvent the sensor's security was
Chaos Computer Club
a German hacker ring
that has accomplished many challenging hacks and exploits over the years.
The trick -- as a CCC member who goes by the handle "Starbug" states -- is to use at least 2,400 dots per inch (dpi) for the photograph of the target's fingerprint, and 1,200 dpi for the printed copy.
"Starbug", "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
The hack is demonstrated in a video posted by the CCC to YouTube:
The only "trick" outside the resolution is that you need to print onto a transparent sheet and after printing; you need to lift the fingerprint onto a polymer using "pink latex milk or white woodglue". The latex layer is then cured and lifted, and breathed upon to "make it a tiny bit moist and then placed onto the sensor to unlock the phone."
Don't make it too moist, though as the fingerprint sensor can
only be used with "dry" fingers
The iPhone 5S's sensor can easily be tricked with a "fake finger". [Image Source: Apple]
It's important to note that the only part of the process that involves the target user -- getting their fingerprint -- can be done quickly and surreptitiously. The remaining steps can be taken at their own pace at a secure location of the unlocker's choosing.
II. Another Danger -- Police Seizing Your Data
CCC spokesperson Frank Rieger chides Apple and others for proliferating the myth of security regarding fingerprint-based biometrics. He states:
We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.
The group raises another interesting point regarding smartphone unlocking and legality. The group writes:
Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much
harder under most jurisdictions
than just casually swiping your phone over your handcuffed hands.
If you get arrested, and have an iPhone with fingerprint unlock enabled, police can easily get ahold of your private data. [Image Source: BUSINESS, GOVERNMENT AND SOCIETY FIVE]
In other words, the supposed "crowning" feature on Apple's new smartphone
may be worse than worthless
-- it may be luring users into a false sense of security and compromising their data.
says the CCC was the first group or individual to report a successful hack on the sensor. The site is in the process of confirming the CCC's hack. Once confirmed they'll receive the horde of goodies, including sweet, sweet cash.
CCC [press release]
Is Touch ID Hacked Yet [YES!]
This article is over a month old, voting and posting comments is disabled
9/23/2013 1:46:29 PM
This is a good point. If you just want a simple locking mechanism for your phone then it's fine. Similar to facial recognition unlock that's been on Android for quite some time.
The danger however is if it's being marketed by Apple as super secure. If so, users are being lulled into a false sense of security.
9/23/2013 5:35:34 PM
RSA had 2-factor authentication compromised (
which goes to show nothing electronic is ever impenetrable, but so far, I'd say this is
because of three reasons:
1) The person who wants to compromise your device's security will have to go to great lengths (obtaining your fingerprint, scanning it, molding it, or printing it off at a high resolution) to do so - someone that goes that far to do it is going to find a way.
2) I'd say it's secure enough until the "hack" can be performed w/o the sensor - via the lightning port, audio jack, Bluetooth, or other connection; that is, something that could be done in minutes-to-seconds.
3) There is concern of biometric data being shared. Since you have problems with FB and Google accessing private data, and iCloud being so interleaved into iOS, there is the concern that your personal data, which you can't change, will fall into someone else's hands. That is a huge concern. Apple I think has done a decent job of trying to store this information locally and letting its customers know.
The biggest example against it is the one about the Police, who will readily have that data available. In response, everyday we leave our houses, drive in our cars, or walk down the street. We take risks all the time, even if sometimes we don't realize it. While this is still a higher risk, I'm not sure it's cause for that much concern.
9/23/2013 9:23:40 PM
*Hands drink with roofie*
9/25/2013 7:49:42 AM
Just saw an article, this morning, where one user successfully used his JOHNSON to lock/unlock his new iPhone.
I'm betting that's a part of that feature, that Tim Cook never imagined!
The question isn't whether the more tech-savvy people (like the ones who post here on DT) believe the fingerprint reader is a measure of safety for their phone. It's a matter whether the ignorant masses that actually buy iPhones will believe it.
"Paying an extra $500 for a computer in this environment -- same piece of hardware -- paying $500 more to get a logo on it? I think that's a more challenging proposition for the average person than it used to be." -- Steve Ballmer
Senator Al Franken Questions Apple over iPhone 5S Fingerprint Technology
September 23, 2013, 9:44 AM
Apple's iPhones 5S, iPhone 5C Launch; Bounty Placed on "Cracking" Fingerprint Sensor
September 20, 2013, 1:35 PM
iPhone 5S Fingerprint Scanner Details Surface; Sweaty Fingers Not Allowed
September 12, 2013, 10:46 AM
Apple Announces $99 iPhone 5C, iPhone 5S with 64-bit A7 Processor and "Touch ID"
September 10, 2013, 1:15 PM
FBI Orders Google to Give it Access to Users' Locked Android Phones
March 15, 2012, 3:30 PM
Apple's "iBeacon" Tracks Customers Inside Apple Stores for Enhanced Shopping Experience
December 6, 2013, 11:26 AM
Apple Says 74% of Its Mobile Devices Now Run iOS 7
December 6, 2013, 10:06 AM
Apple and Samsung See Virtual Tie in Q3 U.S. Sales, Nokia Seizes Fourth
December 5, 2013, 8:00 PM
AT&T Goes After T-Mobile with Reduced Off-Contract Prices, New Base Rates
December 5, 2013, 11:28 AM
MSI Unveils 3K Resolution GT60 Gaming, Workstation Notebooks
December 5, 2013, 11:00 AM
No iPhone for Obama Due to Security Concerns
December 5, 2013, 9:57 AM
Most Popular Articles
NSA Snares Americans' Porn Viewing Histories in Effort to Target Muslims
December 1, 2013, 9:00 PM
Hackers Nab 2 Million Login Credentials from Facebook, Gmail, Twitter
December 5, 2013, 1:00 PM
Dow Chemical to NYC City Council: You Don't Even Know What Styrofoam is!
December 2, 2013, 8:30 PM
Experts: Masturbation Prevents Cancer, Diabetes, Insomnia, and Depression
December 6, 2013, 2:01 PM
Thieves Steal Truck with Cobalt-60 Onboard in Mexico, Will Die "Without a Doubt" from Exposure
December 5, 2013, 12:04 PM
Latest Blog Posts
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
Global Cyber Espionage Concerns Reveal Growing Cyber Armies
Nov 29, 2013, 11:04 AM
Is The Period Becoming an Expression of Anger?
Nov 26, 2013, 2:02 PM
NSA and Congress -- You Will Never Kill the Constitution, It's an Idea
Nov 10, 2013, 2:00 PM
AT&T Explores $100B+ USD Deal to Acquire Vodafone's European Operations
Nov 4, 2013, 7:34 AM
More Blog Posts
Copyright 2013 DailyTech LLC. -
Terms, Conditions & Privacy Information