Time To Change Your Fingerprints: Apple's Fingerprint Scanner Already Hacked

from the no-problem,-just-change-your...-oh-wait dept

While Apple has been touting its new TouchID fingerprint scanner as more secure, many people with experience in biometrics are quick to note that the problem with biometric security is once it's cracked, you're kind of in trouble, since you can't just change your fingerprint/retina/voice etc. And, indeed, it took almost no time at all for the biometrics hacking team of the Chaos Computer Club to crack TouchID "using everyday means." You can see a video of them getting into a new iPhone with a different finger:
It appears that they've used the same basic method as has been used to hack fingerprint scanners in the past -- get a high quality image of the user's fingerprint and then:
The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
The only "difference" here is that they needed to use a higher resolution in the printing to match the higher resolution of Apple's scanner. CCC points out, as others have in the past, that this should remind people that fingerprint scanning is not very secure.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.

iPhone users should avoid protecting sensitive data with their precious biometric fingerprint not only because it can be easily faked, as demonstrated by the CCC team. Also, you can easily be forced to unlock your phone against your will when being arrested. Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands.
It wasn't difficult to assume that this would happen. What's surprising is that Apple doesn't seem to have considered this fact.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: biometrics, chaos computer club, fingerprint, fingerprint scanner, fingerprints, hacked, ios, iphone 5
Companies: apple

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    akp (profile), 23 Sep 2013 @ 9:31am

    This isn't a hack...

    Nor is it a "crack." As someone else said, it's a spoof, and not a particularly easy one to pull off.

    Someone has to make a dedicated effort to get in to your phone specifically. How easy is it really to get the "high res scan" of a person's fingerprint?

    In any case, this isn't a uniquely Apple screwup. It's a failure of *any* system using this type of authentication.

    No code or hardware is being compromised. The method would work on any fingerprint-scanning system, so it seems disingenuous to bash Apple specifically about it.

    Especially when they even admit that to get into an iPhone they have to have an even higher res print than usual when spoofing these systems.

    This is a FUD non-story, except to point out the weaknesses of biometric authentication in general.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.