Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,290
30,364



Over the weekend, the Chaos Computer Club announced that it had bypassed Apple's Touch ID sensor using a photograph of a fingerprint to create a fake fingerprint model.

The full fingerprint emulation process has now been detailed in a new video from CCC member Starbug and replicated by security expert Marc Rogers, who believes the average consumer has nothing to worry about.

As seen in the video, the CCC uses a fingerprint taken from the screen of the iPhone 5s and then uses a complicated multi-step process to convert it to a usable print. According to Starbug, who spoke to Ars Technica, the process "was way easier than expected," taking just 30 hours to complete.
I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

The Touch ID is nevertheless a very reliable fingerprint system. However, users should only consider it an increase in convenience and not security.
While Starbug suggests that the hack is "very easy" and can be completed with "inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs," Marc Rogers, who also completed the bypass, disagrees, noting that it requires "over a thousand dollars worth of equipment."
touchid.png
But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.
Rogers goes on to explain the process, which requires an unsmudged, complete print of the correct finger and a way to "lift" the print using cyanoacrylate (super glue) fumes, fingerprint powder, and fingerprint tape. The lifted fingerprint must then be photographed, edited, and printed onto transparency film, where it is converted to a usable fingerprint via a PCB board or a laser printer.

Even when all of these steps are created, using the fake fingerprint was "tricky" and prone to failure.
So what do we learn from all this?

Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don't forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it.

However, let's be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn't a threat that many of us face.
With Touch ID able to be bypassed through a fake fingerprint, it remains unclear how the system functions. According to Apple, the sensor uses advanced capacitive touch and takes a high-resolution image from the "sub-epidermal layers" of skin, a process that, theoretically, should render a fake fingerprint useless. Starbug speculates that this is due to Apple's desire for usability over security, noting that the sensor will be defeated if the fake fingerprint is "sufficiently close" to the characteristics of human tissue.

Since its release, Touch ID has been the subject of much scrutiny. Senator Al Franken has sent a letter to Tim Cook asking a number of questions about the security of the system and the exact fingerprint storage process, and Apple has published an extensive knowledge base article about the benefits of the Touch ID system to alleviate some consumer concerns.

Article Link: Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry
 

dave420

macrumors 65816
Jun 15, 2010
1,426
276
If we could just add a short password and use TouchID then I think everything would be more secure.
 

Dwalls90

macrumors 603
Feb 5, 2009
5,426
4,391
If we could just add a short password and use TouchID then I think everything would be more secure.

No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...
 

portishead

macrumors 65816
Apr 4, 2007
1,114
2
los angeles
I'm just not that important for someone to go through all that trouble to fake my fingerprint. I'll continue to use Touch ID. It works fine for what I use it for.
 

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,050
I've worked with Marc plenty in the past. I'd agree that the average consumer has nothing to worry about.

Funny how people get up in arms about this but they didn't care or seem to realize that since about 2008 we've been able to pull all the data from your iPhone including passwords, email, text messages, web browsing history, and more. Doesn't matter if your passcode is set or not.
 

Frign

macrumors regular
Aug 19, 2011
116
408
It's not over

I wouldn't still save my fingerprint on my iOS-device. It's just not save enough.
The fingerprint may be a very specific password for each one of us, but it sure as hell is not one you can change.
 

pk7

macrumors 6502
Sep 27, 2011
441
64
Before people say:

"I can't believe it! Anyone can hack my iPhone with thousands of dollars worth of stuff like an image scanner, a laser printer, and a kit for etching PCBs, all in only 30 hours!?

Touch ID is a failure!!! :mad:"
 
Last edited:

KPOM

macrumors P6
Oct 23, 2010
18,020
7,863
So for now, unless you have classified information on your phone, you should be OK with Touch ID.
 

dave420

macrumors 65816
Jun 15, 2010
1,426
276
No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...

Why not give the option?
1. Passcode only
2. TouchID only
3. Passcode and TouchID

Everyone has different needs, and the three options above should satisfy more people than the two options available now.
 

Ryth

macrumors 68000
Apr 21, 2011
1,591
157
No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...

Some want 2 steps. More secure and don't be surprised if Apple comes out and allows you to do it this way if you want to do it with 2 steps.
 

tdtran1025

macrumors 6502
Dec 26, 2011
275
0
It's very unsettling to claim this process as a hack. Naturally, lifting a fingerprint is in the realm of forensic expert, not a task can be done by regular people we come into contact.
If someone has my finger prints, I am at his mercy, and the phone itself is immaterial. What a genius, duh!
 

Bryan Bowler

macrumors 601
Sep 27, 2008
4,024
4,347
Cracking a TouchID would be a lot of work to read someone's text messages! All they would get is:

"OMG"
"Seriously"
"For real"
"No way!"

:)
Bryan
 

BlindGoldfish

macrumors regular
Jan 15, 2010
107
0
Which finger is the least likely to leave an un-smudged print on an iPhone? For me it's the right pinkie.
 

mrhick01

macrumors 6502
Sep 22, 2008
485
315
The average consumer should not be concerned

So a thief more or less has to do spy-level stuff to break the security of an iPhone 5s.

So what's with some of this handwringing and concern trolling?
 

iGrip

macrumors 68000
Jul 1, 2010
1,626
0
Apple really should warn people that the system is for convenience, and does not provide strong security.
 

sransari

macrumors 6502
Feb 11, 2005
363
130
not withstanding the fact that the hack is supposedly "very easy," even this expert took 30 hours to complete the hack...In a real life situation, the phone would have been wiped by then. now if it took 30 seconds, then maybe there's something to worry about
 

TWSS37

macrumors 65816
Feb 4, 2011
1,107
232
I think more important than this being 'hacked' was the ability to use a scan of a fingerprint - which means that the 'sub-reading' of skin that was reported as required, was false.
 

Ubele

macrumors 6502a
Mar 20, 2008
888
332
The iPhone 6 will replace the fingerprint scanner with a retina scanner. Then someone will figure out how to make fake retinas. (Be suspicious of any drones that fly up to your face, take a photo, and fly away.) Then Apple will come up with an aura scanner.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.