Apple’s Touch ID fingerprint reader can already be fooled (video)

September 23, 2013

Chaos Computer Club trciks Apple TouchIDTheĀ Chaos Computer Club (CCC), a group of European hackers who have a history of demonstrating the weaknesses in various computer systems since the 1980’s, has successfully tricked the fingerprint reader on the iPhone 5S using a photograph of a fingerprint taken off glass!

Related: How Fingerprint scanners work

In a scene which looks like it came from a Hollywood hi-tech thriller, the CCC lifted the fingerprint of a glass surface by taking a high-resolution (2400 dpi) photo and then printing it in a inverted form (so most of the print out is black and the fingerprint is clear) onto aĀ transparent sheet with a thick toner setting. ThenĀ pink latex milk or white woodglue is smeared onto the transparent sheet and left to dry. The fake fingerprint can then be peeled off and after breathing on it (to make it a bit moist) it can be used to trickĀ Apple’s TouchID and theĀ biometric security built into the iPhone 5S.

This demonstrates ā€“ again ā€“ that fingerprint biometrics are unsuitable as an access control method and should be avoided.

These are the exact same steps that the CCC published in 2004 on its web site and the same process that can be used,Ā with minor tweaks, to trick the vast majority of fingerprint sensors on the market.

This isn’t the first time that the CCC has demonstrated the fragility of biometric security. In a protest about the use of biometric data in Germany’s e-passports the group lifted and published the fingerprints of the then German Minister of the Interior Wolfgang SchƤuble in its club magazine. The magazine included a thin film that could be taped over a finger to deceive fingerprint readers with SchƤuble’s fingerprint – very Mission Impossible!

If you don’t believe it is possible, check out this video:

Comments

  • Ares

    That shaky fingers O_O

  • natjsb

    Doesn’t count as bypass. The process is rigorous. A thief would rather knock the person off and unlock the phone with at least 10% chance at a time by picking one of the fingers. 2400% DPI photograph is not an everyday item.

    The robber would be like: Hey! Stick your fingers out, tell me which finger you registered in your iPhone, I’ll *photograph* that @2400% DPI so that I can unlock your phone after I laser printed it and put some latex milk and some glue and a bit of my breath. This won’t take long. Stay there.”

    So, to iPhone 5s users out there. If you see a suspicious looking guy carrying with him a flatbed scanner, a Laser printer, a laptop, an AC extension cord, a latex milk, a glue and *assuming* the guy has image editing skills – You better run away! Or should you? :P

    • not a spark

      Just because its not what a common thief would do doesn’t mean its not a bypass. I don’t think the point of this is for thief’s benefit

    • Balraj

      +50 that

    • Jacob

      Those who steal cars are not car experts. They are ordinary people. They sell the the car to experts. Same goes with bikes, phones, watches, etc.
      So if you think the robber will not steal your phone because he doesn’t know how to use it, you are wrong.

      • natjsb

        “So if you think the robber will not steal your phone because he doesn’t know how to use it, you are wrong.” – Jacob

        Jacob! Hola amigo! My comment has three parts. It doesn’t say anything about a robber not going to steal the phone. In fact, in paragraph one, I gave it away. *blink* *blink* :P

        • Jacob

          haha, good one ;)

    • On a Clear Day

      Where there is a will there is a way – given enough time and desire to effect the end in mind.

      The greatest argument against using biometric data was well put in the other Android Authority article recently posted:
      Why fingerprints shouldnā€™t be used for security
      http://www.androidauthority.com/fingerprints-and-security-272092/

      Once it is out there and if it is hacked it can never be “changed” like a password and your identity could be compromised forever. There has to be a better way. Apple – true to form – wanted to be the first to claim it was the first – like when it said it invented the rectangle and that Samsung had violated its intellectual property rights when it made its own pad.

      If Apple spent half the time it spends trying to make much ado about little or nothing – as in decrying “fragmentation” and touting potential security compromising functions like this fingerprint gee whiz B. S. – on actually creating real advances they might actually be able to lay claim to being a company with revolutionary products rather than one of the world’s best hype machines for mediocre ones.

      • natjsb

        Hi,
        I’m am not in anyway dismissing your points regarding biometrics. All points taken. There will always be a way to crack any form of security – that is very general and that falls to another discussion.

        My comment was about this specific case – putting things into perspective. What’s demonstrated in the video proves little to nothing. Yes, they were able to get around the security layer (amazing), but the question is, what does it take, or what troubles did they have to go through to complete the hack? Isn’t it easier to just knock someone off?

        I can’t speak for Apple – I care less. I already made my point. And by the tone you have against apple and their products, this isn’t worth any talk anymore. Anyways sir, this is a no biggie to me. Thanks for your input. Good day.

  • Heathenkill Reyna

    No video

  • Fox Ray

    “This demonstrates ā€“ again ā€“ that fingerprint biometrics are unsuitable as an access control method and should be avoided.”

    Dude the idea behind it is that you are not required to enter a pin code, this is to counteract thief’s or even your girlfriend. Not to counter secret agencies that will water-board your ass until you give your pin code anyway ^^

    The video gives little proof, you see a man enter 1 finger print into TouchID, the iPhone can hold 5 of those. We also know that the scanner scans the epidermic layers and not the outside layer, the latex cannot copy this. But we do see that the latex is transparent and it might be possible to scan through it, who knows.

    Wouldn’t be the first hoax, more evidence is needed.

    • Dimitar Gospodinov

      dude you only know what Apple told you…

      • Fox Ray

        Why didn’t he proof that his middle finger didn’t work prior to putting the latex on his finger?

        Bad executed video dude, nothing to do with Apple.

        • Dimitar Gospodinov

          read a little bit more…please…dude…and not only from Apple’s sources….again please…there are alot of stuff about biometrics and such…please…dude

          • Fox Ray

            Dude, maybe you should read a bit yourself. Do you even know how it exactly works? you get 5 tries, if you fail you are not able to try again and will have to enter the pin code. So lets presume you get a hold of a 5S, you don’t know what finger the owner used, secondly if you even manage to find finger prints you have no clue from what finger they are. So it’s trial and error and nothing else. If you know anything from police work you might know that its very hard to get a perfect print because we do not leave perfect prints behind, we leave partial prints behind. And the thumb is the worst of all and guess what finger will be used to unlock an iphone …

          • Dimitar Gospodinov

            I have written a work in the university about “Biometric autenthication” so I am pretty sure what I am talking about…

          • Fox Ray

            And I have a degree in criminology, so whats the point you are trying to make?

          • Dimitar Gospodinov

            I am tolking about how computers (smartphones) treat fingerprints, the recongnition process and algorithm. Not the way criminolodysts do. This is the reason why you can fool a fingerprint scanner.
            The way everybody does it (Apple too) is this: http://en.wikipedia.org/wiki/Fingerprint_recognition this is it.
            Only apple uses these images as a key in a hashing function to transfer it in a string or whatever they use to store it (this is my interpretation).
            Nothing special about it so it can be fooled the same way every mediocre scanner can be. And it is not so hard…

          • Fox Ray

            The point is not to have something that is full proof but to discourage people with bad intentions. My first question would have to be ‘Do you have a problem with that?’ Now since you seem to know allot about biometric authentication you also know that many of these systems didn’t do a good job in the past due to its fail rate rendering it useless because typing a password was allot easier and faster. Compared to the cheaper systems from the past Apple did a great job on creating one that has a low fail rate making it actually useful. The question is to whom is it useful? It’s not useful to people that don’t lock their phone, all tho they should lock their phone, not for its data but just to discourage theft. So who is it useful for? Well for people that lock their phones, being it because they don’t want the girlfriend to check their text message or emails or being it because companies force them to through policies or just because you are smart and want to have a sense of security. Will this thing work for them? Yes it will work for them and I encourage every smartphone builder to do the same thing. On top of that every smartphone builder should have a system in place that makes re-installing the OS completely useless if they don’t have the right credentials for that phone. Something Apple recently did for iPhones, but I am not telling that because I want to rub something in someones face, everyone from Android to Windows Phone should do this because it doesn’t matter if you are an Apple, Android or Windows phone user, if your high-end phone gets stolen it sucks. And as long as thiefs out there now that they can easily steal your phone and reinstall it and resell it they will keep doing it.

            Coming back to the initial discussion, I know that no system is full proof, but I do know its damn hard to reproduce what they did because when someone steals a phone the owner isn’t going to give his perfect fingerprint to go along with it. And as long as they don’t have a perfect fingerprint from the correct finger they won’t be able to use it. And if you have only 5 chances to try the success rate is extremely low.

            It all comes down on who is after you, if it is a common thief, he just stole a useless device to him, if its a law enforcement agency, it doesn’t matter, they will just borrow your finger to unlock it for them.

          • Dimitar Gospodinov

            this i can agree to

          • Dimitar Gospodinov
          • Xennex1170

            I’m curious.. Is there no market for iPhone parts? This would require no security info whatsoever since the device itself would be cannibalized. That would make it far from a useless device to that kind of thief.

        • Jusephe

          Yeah, bad video. Only thing I see is a man setting up the touch ID with his finger, then trying to unlock the phone with the same finger AND GUESS WHAT ! The phone unlocks.

          • Fox Ray

            No he setup his index finger and unlocks the phone with his middle finger.

  • raj

    LOL

  • abazigal

    The video simply shows that it is possible (assuming it is legit), not that it is likely.

    For someone like me who dispensed with a passcode for 2 years, I feel the fingerprint scanner provides the best compromise between security and convenience there is. Are there more secure methods? Definitely. Are there more secure methods which are as fast and convenient as scanning your fingerprint? Doesn’t seem that way.

    I am still getting the 5s (partly for the scanner) either way. :)

  • Jin

    example of stolen iPhone, is it possible to full wipe it to remove the log print? never had one so I don’t know

  • blanco112

    Not surprised it’s possible. The question that should be asked is hiw does the fingerprint scanner compare to other methods. I assume every “code” can be cracked by someone. But I try I and balance security and convenience. I use a pattern for my phone which Android says I’d only “medium” security but it’s quick enough for me to use over and over all day long.

  • applesheeple

    saw it demonstrated elsewhere it really easy to bypass , pretty much the same technique used to bypass face lock on android which is also equally pointless but if it makes the apple sheeple feel safe then its a good thing.

  • Rodrigo

    People exaggerate too much. Unless you are a very important person like Warren Buffett or Obama, who will try to equip themselves to bypass your finger print from your phone? I think this system works better if you have a girlfriends who want to get to your phone calls to see if you have been cheating on her or things like that. This systems is by far much better than using your pass code. I think that the most important could be the apps that can use this system already on your phone.

    • An0nym0usC0ward

      You see, your girlfriend is in a perfect position to get a perfect fingerprint from you, and also to see what finger you use to unlock the pone.

      2400 dpi photo cameras/scanners are indeed not yet very common, but I bet a creative and suspicious girlfriend would find one to borrow.

      So if the suspicious girlfriend is the main target of phones with fingerprint scanners, it was at best a very bad idea, and not at all an improvement in security.