For a few German hackers, breaking Apple’s much-hyped fingerprint reader seems to have been little more than a one-weekend project.
You may watch here the video demostration
On Sunday, the Berlin-based hacker group known as the Chaos Computer Club–and more specifically a member of the group who goes by the name Starbug–announced that they’ve managed to crack the iPhone 5s’s fingerprint reader just two days after it was released.
“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID,” reads the announcement on the CCC’s website. “This demonstrates – again – that fingerprint biometrics is unsuitable as [an] access control method and should be avoided.”
In the YouTube video posted along with their announcement, (above) a CCC hacker demonstrates that he or she can register an index finger on the phone, and then, by covering the same hand’s middle finger with piece of latex with the spoofed index finger print, access the phone in seconds.
Here’s the group’s step-by-step description of how their spoofed fingerprint trick works:
First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
The CCC takes the opportunity to puncture the “bogus speculation about the marvels of the new technology and how hard to defeat it is,” and writes that this process differs only slightly from a method Starbug posted nearly ten years ago. The only difference, according to Starbug, is the relatively high resolution image that Apple’s reader requires.
I’ve contacted Apple for their thoughts on the CCC TouchID hack, and I’ll update this post if I hear from the company. I’ve also reached out the CCC for more information about how their hack works.
Since Wednesday night, hackers have been pooling together nearly $20,000 in cash pledges and donations in the cryptocurrency Bitcoin, along other items like bottles of whiskey and wine, as a reward for the first individual to successfully hack TouchID and prove it in a video. On the website IsTouchIDHackedYet.com, the status shifted Sunday from “No!,” to “Maybe!” Security researcher Robert David Graham, one of the creators of that bounty project, says he’s currently communicating with CCC hackers to confirm that their trick works and falls within the county’s rules–specifically that a finger from a person other than the phone’s owner rather than just a different finger from the same person can be used to break TouchID.
Update: Starbug has uploaded another video showing that the trick also works with another person’s finger wearing the latex spoofed fingerprint: