News of Apple’s Touch ID hacking spread like wild-fire on the web recently, causing many Apple critics to rejoice, saying “I told you so.”
“So, apparently and contrary to Apple’s corpospeak—and all the echoes from the Cupertino chorus line—it appears your iPhone’s fingerprint security can be broken, with a camera, a laser printer, and some wood glue—just like every other fingerprint sensor in the world,” Jesus Diaz writes for Gizmodo. “The fingerprint sensor is still convenient, but don’t depend on it to protect any sensitive information in your iPhone. If you think someone may be interested in accessing your iPhone for whatever reason, they would be able to do it easily using this hack.”
However, it is not as straight forward as Jesus Diaz would like you to believe according one security expert.
Security expert Marc Rogers’ article – Why I Hacked Apple’s TouchID, And Still Think It Is Awesome, goes into great detail on how he hacked the Touch ID fingerprint scanner, but more importantly, it highlights that no regular Joe will be able to accomplish this.
According to Rodgers:
Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.
First you have to obtain a suitable print. A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone. Try it yourself. Hold an iPhone in your hand and try the various positions that you would use the phone in. You will notice that the thumb doesn’t often come into full contact with the phone and when it does it’s usually in motion. This means they tend to be smudged. So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.
Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original.
So now what? If you got this far, the chances are you have a slightly smudged print stuck to a white card. Can you use this to unlock the phone? This used to work on some of the older readers, but not for many years now, and certainly not with this device. To crack this control you will need to create an actual fake fingerprint.
Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer. First of all, you have to photograph the print, remembering to preserve scale, maintain adequate resolution and ensure you don’t skew or distort the print. Next, you have to edit the print and clean up as much of the smudging as possible.
Rodgers went on to describe two methods hackers can be used to complete the hack.
“Practically, an attack is still a little bit in the realm of a John le Carré novel,” Rodgers said. “It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before Touch ID rejects all fingerprints requiring a PIN code to unlock it.”
If this does not convince you that Touch ID is relatively safe to use. Nothing else will.
Marc Rodgers article is very comprehensive – in many aspects, since it also looked at the darker side of biometric security – specifically fingerprint technology. However, he believes that if Apple could combine this with an extra pass code authentication – they will be on to a winner.
“What I, and many of my colleagues are waiting for (with bated breath), is Touch ID enabled two-factor authentication,” Marc Rodgers. “By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger. Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses.”