Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,866
39,831



Apple has done little to improve security in the Touch ID technology used in its current iPhone 6 handset, claims security researcher Marc Rogers of Lookout Security (via CNET). As shown by Rogers, the latest iPhone models are vulnerable to hacking using the same fake fingerprint technique first demonstrated with the iPhone 5s.

photo-3-touchid.jpg
The technique requires a hacker to lift a suitable fingerprint from a solid surface and create a copy using forensic techniques that require specialized equipment. If done properly, these replica fingerprints can activate the Touch ID sensors on both the iPhone 6 and the iPhone 5s.
Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices.
Rogers adds that the only changes in Touch ID appear to be in the sensitivity of the iPhone 6 fingerprint sensor, with the iPhone 6 possibly supporting a higher resolution scan. This improved scanner makes it harder for a fingerprint to be cloned by an unskilled criminal, but it does not add any additional security precautions, such as a time-based passcode requirement, to the Touch ID authentication system.

Touch ID may offer adequate security for unlocking phones, but Rogers questions its effectiveness as a deterrent to the much more lucrative credit card and mobile payment theft. With Apple opening up its iPhone 6 to mobile payments with Apple Pay, the potential for this form of theft becomes more likely as criminals begin targeting iPhone users in order to exploit these mobile transactions. Still, the complexity of creating a fake fingerprint means users are much more likely to be affected by a stolen plastic credit card than a spoofed Touch ID fingerprint linked to Apple Pay.
[T]he sky isnt falling. The attack requires skill, patience, and a really good copy of someone's fingerprint -- any old smudge won't work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it's highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.
Apple Pay is Apple's new mobile payment initiative that will debut with an iOS software update next month. The system uses NFC to process payments wirelessly with a one-time token and Touch ID authorization for security. Apple is partnering with credit card companies and US retailers including Walgreens, Macy's, and Nike to roll out the service.

Article Link: iPhone 6 Touch ID Still Vulnerable to Specialized Fake Fingerprint Hack
 
This is not news. Why even report this? Average person sees "Touch ID vunerable" and doesn't use it. Meanwhile, the contents of the article, just as last year, CLEARLY indicate how extremely difficult and unlikely this is to ever occur to anyone, or that it's even worth the effort, or possible to do quickly enough before the phone is remotely wiped (the function of which I'd hope anyone who has sensitive information on their phone is aware of)
 
And the number of times this "hack" has actually been used successfully in the wild is...?
 
They've also not improved the security of passwords I write down and leave all around where I've been. Anyone can still pick this up and access my phone. Disappointed. :rolleyes:
 
Thats why Governments love to have your fingerprints. They can easily make a dummy finger now. So when they arrest you with your new shiny iPhone they just phone the lab to make one up. The lab kit makes it in 10, it arrives with the officer in 30 minutes. No need to know your password. And no one will know they've been in your iPhone

/s
/jk
enable panic mode
 
In other words, few people if any might ever be affected by this. You have a better chance of being struck by lightning while being eaten by a shark than have this happen.
 
one question. how does the competition look in this matter? Samsung and other fingerprint equpied smartfones.
 
If the hacker were to want to use this with Apple Pay, wouldn't they also need to have the person's phone as well?
 
Also

Another hack that allows anyone access to you iPhone trough TouchID, is the intruder cutting off your finger, and pushing it against the sensor. I mean, it's just not safe enough.
How can we expect fingerprint sensors to be safe when all that's needed is your fingerprint?

Obviously this stil works. The only way to prevent this would be to also read heat signatures, in which case all you'd need to do would be to also add heat to the sensor while pushing a lifted print against it.
 
The attacker not only has to lift a very good print to copy from, but they have to lift the correct print that's being used to unlock the phone. From nownon everyone uses their toes for TouchID.
 
If the right person has physical access to your device, they can crack it. Nothing new. What you have to understand is that if you lose your phone, you need to remote wipe it.
 
Way to blow this non issue out of proportion. News flash: if you cut somebody's thumb off, Touch ID will work too!!
 
one question. how does the competition look in this matter? Samsung and other fingerprint equpied smartfones.
Irrelavent. First, obviously because they aren't Apple products -- double standards exist for a reason. Secondly, yes they are more secure the Touch ID because they don't function properly in normal operation. So they are just going to malfunction when someone tries to exploit them.
 
Newflash, no current security measure isn't vulnerable to a sophisticated, targeted attack by a skilled/knowledgeable individual or group.

My credit card info was just stolen last night.....I can tell you right now I am so ready for Apple Pay and will be actively trying to avoid places that don't accept it. At least until the chip/pin is viable here in the US. The few places where it works are apparently unbearably slow and inefficient.

Luckily for me, giving up shopping at Wal-Mart won't be too difficult....lol
 
The guy contradicts himself in his own report. First he says there's been little improvement made to the sensor, and then he says that the sensor's resolution has likely been improved making it less likely that a poorly cloned fingerprint will work. Ummm, wouldn't that qualify as an improvement to the sensor? Duh.
 
Or you know someone could just walk up behind you with a gun or a knife and tell you to unlock your phone.

Like others have said, if you need physical access to the phone I don't see it being that big of a vulnerability.
 
Thats why Governments love to have your fingerprints. They can easily make a dummy finger now. So when they arrest you with your new shiny iPhone they just phone the lab to make one up. The lab kit makes it in 10, it arrives with the officer in 30 minutes. No need to know your password. And no one will know they've been in your iPhone

/s
/jk
enable panic mode

Turn off your phone before being arrested. Problem solved.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.