Touch ID fooled - not hacked - by a lifted fingerprint

The Chaos Computer Club - a Germany-based group of computer hackers - claims to have fooled Apple's Touch ID fingerprint technology, which makes its debut on the new iPhone 5s. While a YouTube video demonstrating the trick is entitled "hacking iphone 5S touchID" (and is being reported by some organizations similarly) it is in point of fact not a hack. But we'll get to that in a moment.

In a blog post describing the procedure, Chaos Computer Club says:

A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

The one minute video shows someone using their index finger to register Touch ID on a newly set-up iPhone 5s. Once the setup has been completed, they then apply a tape to their middle finger which, presumably, contains a transfer of the index fingerprint. That unlocks the phone.

The Chaos Computer Club explains how the process to produce the fingerprint was made. It involves photographing a fingerprint at 2400 dot per inch resolution.

The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

So this isn't a procedure that someone is likely to casually reproduce just for the sake of unlocking your phone. But Chaos Computer Club spokesman Frank Rieger says biometric security like Touch ID has more nefarious implications.

Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

To its credit, Chaos Computer Club isn't calling the spoof a hack, but that isn't stopping it from being widely misreported, thanks in part to the sloppy title on the YouTube video. But what is the point of accuracy when there are page views to be had?

Peter Cohen

Managing Editor of iMore, Mac and gaming specialist and all-around technologist. Follow him on Twitter @flargh

More Posts

 

160
loading...
68
loading...
131
loading...
0
loading...

← Previously

How to enable the camera grid on your iPhone or iPad

Next up →

Is Touch ID secure enough to keep your iPhone 5s safe?

Reader comments

Touch ID fooled - not hacked - by a lifted fingerprint

76 Comments
Sort by Rating

i think it's because it's just silly. It's cool that someone actually took the time to do that though. Crazy-smart. =)

Exactly its absurd. If someone has that much time to know its your phone, lift your print, go back to make the fake and go back and use it on the phone all just to get access then you have bigger problems with your phone's security.

If the person steals your phone first and then tries this, just immediately go onto find my iphone and wipe it!

Such easy solutions. This is blown out of proportion as this huge security hole just like the lockscreen bugs (because everyone is going to know the 10 step process to bypass your lockscreen. And maybe the MEDIA should be making it public!)

What if one were to perform the first parts of this just in picking up the fingerprint, and leaving the phone with the user, like at a Starbucks, just so one could perform the time-intensive process later away from the phone, and then could actually walk off with the phone later and get into it instantly before the user has the chance to wipe it? Enough time to get in, install a malicious app that could send your keystrokes and data elsewhere, and you might not know for quite awhile if ever.

I'm not being defensive. I'm pissed that it's being widely recirculated as a "hack," and is even described by the title of the video as a hack, while it fundamentally isn't. Words have meaning.

I understand but even I would say that qualifies as a hack. It is gaining unauthorized access to information which technically is hacking. It's not serious in terms of someone hacking the A7 being able to crack the Touch ID encryption. I don't think this stunt really matters as Touch ID is just creating a simple and effective mode of consumer security. I still think its a useful addition to the phone.

So if I get your house key , make a copy at Home Depot, and use my copy to get into your home, you've been hacked? If you write your bank password down on paper and I see it, memorize it and use to access your online account is that a hack? Under your definition the word hack has no meaning anymore.

Would you define "hack" for us, then? Because, IMO, this *is* a hack. Getting something to work outside its designed parameters is one of the definitions I use.

No, getting something to work the way it was intended to work is not a "hack." A "hack" would be "this was meant to be a fingerprint sensor but I made it work as a laser pointer!" Or "I made the fingerprint sensor heat this cup of water so now I can have tea!" Think MacGyver, see? Buying something with a stolen credit card number isn't a hack; neither is unlocking a device with a copied fingerprint.

I don't agree at all. Apple claimed quite loudly that the sensor *needed* a live finger to scan, leading many online to make statements that you couldn't use a fake finger. CCC (including many others, like myself) were able to invalidate that statement by getting the sensor to believe a fake print belonged to a live finger. How is that NOT a hack?

Use the print without being attached to any sort of finger so you simply lay the copied print on the sensor and then you would be correct, the video shows there is still a live finger involved in the process, just a layered print over it, and at that the finger used is but only one digit removed from the registered print in the first place.

"[G]etting something to work the way it was intended to . . . ?"

Um, can you please point us to where Apple states that Touch ID should work with a copied finger print?

Hack is gaining control of the security its self. This is not the case.

This security spoof, which is what it is, is paramount to getting someones badge and putting their own photo on it, fooling a security guard. I wouldn't call that a hack either.

Also ,you have to have intimate contact with the individual to get the fingerprint. Just a print from a glass of water doesn't cut it. It has to be a true hard core imprint, up and personal.

The dictionary definition of hack, as it pertains to computers, is: Computers. to break into (a server, Web site, etc.) from a remote location to steal or damage data. You cannot do what is described in this article from a remote location - you have to have the phone on you to do it.

Hey no worries, remember when the Android face unlock feature was "hacked" 20 minutes after it was announced. Although it was just fooled by a picture, this is pretty much the same thing. The lack of the correct word choice is simply ignorance on their part.

Presumably, you were as outraged when Apple (and Google, for that matter) appropriated the term "multitasking" to mean "put the running state of a process into storage so that it can be restarted quickly."

If you are truly that pedantic, you may also wish to recognize that just as fundamentally, what you consider a "hack" was originally and properly referred to as a "crack" -- an orthogonal concept to a "hack" -- and that "hack" only began to serve double duty as people's (mis)understandings drifted. In which case, you are pissed because people are not sticking with the vague definitions that solidified around the time that *you* learned them. Believe me, I empathize -- I was similarly pissed at your generation when you confused and abused the term crack. Five years from now, the people who currently draw your ire will be pissed at whatever of today's terms *their* young whippersnappers screw up. Words have meaning yes -- but only insofar as people grant them. Like it or not, that is illogicially, stupidly, gloriously how language evolves.

So words have meanings? Apple should have chosen there words more carefully in the video they released idealizing how safe there new feature was. It obviously has flaws, Apple put themselves into this mess now.

You are semantically right, but wrong in practicality.

The touch Id was not hacked, as they did not gain access to the sensor or fingerprint database in the chip; however, they did gain access to the phone when they should not have been able to. That is a hack.

So, technically, they hacked the iPhone by spoofing touch id. To the everyday muggle though, it is more understandable to say that "the Apple fingerprint reader was hacked." This is similar to the way malware is referenced in the media. Technically it is not a virus, but the term "virus" is still the best way to explain the term to the everyday person and have them immediately understand what the article will entail.

Sent from the iMore App

No security system is 100% foolproof!

But on the other hand, the demonstration involves one person who is clearly the owner of the iPhone (since he is able to unlock it and register his various fingerprints on it). And there is no independent person supervising and judging the demonstration, making sure it is not tainted.

If this video was given as "evidence" in any court or scientific setting, it would be tossed out due to lack of verification.

This method may actually work to trick the Touch ID scanner. But until it is presented in a less questionable and unverifiable way, I will remain skeptical.

the one thing I want to see is someone different other than the original user use the copy of the fingerprint if you notice it's the same user

Because he videotaped the enrollment of his index finger (if you look at the screen, it's the only finger enrolled) and then applied the dummy print to his middle finger... ergo, the sensor only saw the dummy.

Even though I believe the video, the phone can recognize multiple prints, correct? So it is technically POSSIBLE that the middle finger was read to unlock.. I guess.
Regardless, I think the concern around this "hack" is a joke.. I don't think it warrants all this concern

"Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access." Just...no. That's completely backwards. Biometrics is really only useful for everyday access security. That's all it does. The technology does not add to or detract from oppression in any way whatsoever. This is like saying "Having a password on your device is a system designed for oppression and control." It makes no sense! TouchID is exactly the same as typing in a passcode on the device, only quicker. I was amused by this "hack" at first, but they just lost me with this extremely silly bit of rhetorical excess. I am vehemently anti-NSA and anti-government overreach and pro-Ed Snowden, but being dim about these issues doesn't help anybody.

You've missed the point by some margin.
A password is designed to let only those that know it enter a room, account, conversation etc. etc....I am often given a password 'common' to a few others so that I can enter a conference call for example. A key to a house is in effect a password.
Biometrics are designed to tie something to a single individual. The whole premise behind it in theory if not practice is...........

I'm surprised it was done this quickly. Wasn't sure whether to believe that a large company would leave such a glaring hole. Then I read above that the Android face unlock was broken in 20 mins.

The instructions linked to in the CCC blog post are dated 2004. And it isn't just a tape transfer of the fingerprint, it's scan/photo it, clean on computer, print on transparency, apply thin coat print with latex or wood glue, let dry, use that.

This is a process of hours per try. They get 5 tries before the pass code has to be used. In the meantime the phone has been marked as stolen and wiped, unless they kicked it into airplane mode via control center.

Their points about the police just swiping your fingers on it when under arrest is a more valid point. Although they can only try 5 fingers. Registering too many fingers to the phone can be problematic.

I guess "reasonable, easy to use, security" and "100x better than 4 digit PINs" didn't translate to German, umm CCC?

"So this isn't a procedure that someone is likely to casually reproduce just for the sake of unlocking your phone. But Chaos Computer Club spokesman Frank Rieger says biometric security like Touch ID has more nefarious implications."

I disagree. All you need to do is follow your mark/target around long enough until they touch something made of glass (or something else that will leave a decent residual print). Take the glass home, and you have all the time in the world to dupe the print. It doesn't get any easier than that... not to mention the method of duplication only requires some superglue, some cotton balls, a container, a decent digital camera, Photoshop and some transparencies. Not rocket science. :)

That's "ALL" you have to do?!? (sarcasm) All for that iphone, that once you've done all that you have to find the phone again to then access it; or steal it up front and do all this before it's remote wiped.

Again, this is a non-issue if you properly protect yourself and remote wipe immediately.

I think you've missed the point entirely.

I don't have to rush. I can grab a print anytime I want, take as much time as I need to dupe it, and then come back to my target and obtain the phone. Once I've unlocked it, all I need to do is turn on airplane mode and remote wipe becomes moot.

If you think the steps I've listed are difficult... well, it's no harder than changing your oil on your car.

You must also remember that you need to know what finger is used to open the phone and hope it's their domaint hand and at least a thumb or index finger or else good luck with getting a decent print.

The purpose of TouchID or a passcode is to foil the guy who snatches your iPhone out of your hand or out of your bag and runs off with it. The same way a passcode would. The person with the wherewithal to do what you describe above wouldn't need to steal your phone anyway. People keep thinking that the fingerprint gives someone more access than the passcode does, but this is not true.

This^^ If you know where to find me again to get my phone and have to know-how to do this, then you're after more than my $500 iphone. At least if you're that smart

Id venture to guess 99%+ of iphone theft is snatch and grab which touch id will prevent. Anyone who takes the time to stake the person out and do al this can do a lot ore damage than taking an iphone anyways

You don't need to look for a fingerprint, there is a perfectly good one on the surface of the saphire button of the phone itself.

Some people will stop at nothing to stck it to apple more than any other company. And for what? I never looked at touch ID as added security. It's an added convenience. If you want something better security, go with a complex password and data encryption. The problem I have with this is that the trolls will get this and run with it. News and tech bloggers will post this just to get hits on their sites. If it was James Bond's phone, then yes I want to crack it. Regular joe?... Hell no.

Sent from the iMore App

If this isn't a hack than what is.. does a hack have to mean some sort of computer code that tricks the system, Imo no. I think the fact that this can trick the system to bypass its security is a hack and just as serious as cracking it's code.. it's a flaw in the security and even most hacks that are computer generated include fooling a system so whether it's fooling via a computer code or a real life physical object it's still a hack.

the Merriam-Webster Dictionary does include for the definition of Hack, under definition 4 b : to gain access to a computer illegally (http://www.merriam-webster.com/dictionary/hack)

so by that definition, technically this does qualify as a "hack" however where called into question is asking if having the same user who registered the print using his next finger over with a replicated print illegal.

from the standpoint of someone using this technique to replicate a fingerprint to unlock an iPhone 5s, unless the target device is being targeted for specific data on the device (IE you want to do some Spy like stuff to bring down a specific person or company) this really is a bit extensive of a practice, and would not be overly useful to those stealing the device to gather a collection of black market sellable units in my opinion anyway

Since Touch ID reads sub-dermal layers, could it still be reading this guys actual fingerprint through the latex? If you notice, he uses the same finger when he presses the fake print onto the sensor. Thoughts?

He doesn't, in point of fact - he uses his middle finger with the latex print, he uses his index finger for the Touch ID registration.

Correct me if I am wrong, but doesn't Touch ID allow for multiple fingers to be registered? Is it just remotely possible that the guy registered his middle finder before turning on the camera, and then registered his index finger for the audience?

Peter, you are correct, however, he is almost correct.

I am absolutely convinced this video is a fraud (and likely motivated by a desire to manipulate Apple stock, which will assuredly take a hit tomorrow morning).

This hack/bypass makes absolutely no sense given the nature of the Authentec sensor used in the phone, which is capacitive and not optical. Too, if the hack worked, they could have proved their point more simply just by making a direct casting of the print in latex rather than the printing technique they supposedly used.

That lengthy description is a classic mcguffin, to distract from the obvious by making it more ornate.

What everyone is ignoring is that the iPhone can be programmed to recognize five fingerprints (or other skin structures). I am fairly certain all they did was program the phone to recognize the middle finger prior to shooting the video. The thin latex covering was simply transparent to the sensor.

If they want to even begin to convince me this is real, they are going to have to show me them doing it from a phone with a fresh factory restore.

Fraudulent video to manipulate Apple stock? Dude, seriously?
First off, the technique described was developed to work with capacitive sensors - what do you think the moistening step is about?
Second, the reason to not make a direct cast off of a finger but instead go the roundabout way of photographing/scanning/printing is that it demonstrates that a fingerprint lifted off of a glass surface is enough - no need to have the original finger around.

To help you better understand the subject you're ranting about, you could try checking out some of the CCC's previous work on bypassing biometric systems.

You may want to watch the keynote again. Apple have *never* said they are reading subdermally. They quite clearly said sub-EPIdermally, which is VERY different.

What is the difference between lifting a fingerprint and looking over someone's shoulder watching the four digit code be entered both are dishonest.

This isn't even new - the Mythbusters did this on their show a few years ago. Same basic idea.

"OMG fingerprints don't work ahhhh!"

It's just another way to block someone from getting to your info long enough to have your phone found or reset.

Well Peter, the Free Dictionary defines hack as: "To gain access to (a computer file or network) illegally or without authorization", so yes this is a hack and yes, you're being defensive for focusing on the definition of "hack" as it reflects negatively on Apple, and not giving emphasis to the fact that Touch ID, which was touted as safer than conventional fingerprinting, was easily fooled by the conventional fingerprint faking methods.

In the words of Rene Ritchie, describing the keynote: "It's also capacitive and reads the fingerprint at a sub-dermal level. That means it's not reading the dead skin on the top of your finger, but the new, living skin beneath the surface. That makes it less likely to be fooled by fake fingerprints, severed fingers, and other sci-fi spy movie tropes".

Conventional fingerprint scanners are not capacitive nor they scan beneath the surface, and thus can be easily fooled by silicon fingers for instance, as shown on Mythbusters for instance.

You may want to watch the keynote again. Apple have *never* said they are reading subdermally. They quite clearly said sub-EPIdermally, which is VERY different.

I was quoting Rene, but anyway, Apple implied that their sensor was safer because it did not simply scanned fingerprints.

Did you hear the rumor about the iPhone 6 incorporating a retinal scanner via the FaceTime camera? ...

xP

Sent from the iMore App

Perfect! Here comes tomorrow's wall street writers... Apple Is Doomed!

Apple's stock goes like .... babooooom!

P.S. Mr. hacker is a little too excited .... with that background music and shaking fingers, no?!! ROFLAMO

This was something that everyone should've seen coming. It's good not know the limits of this technology no matter what company advertises how "different" or "more secure" it is. I'll wait to see the developments happen about this, but the obvious advice still stands: If you can, don't lose your phone.

It is indeed a hack. I agree it isn't an easy one though. You have to know what you're doing but isn't hard for those that do, it seems.

I called it. I gave it 48 hours. :-)

If this is a hack then so is watching you type your password/PIN and then using it. Or reading the sheet of paper where you wrote it down. Or overhearing you tell someone over the phone.

I consulted a dictionary per your suggestion.

http://www.thefreedictionary.com/_/dict.aspx?rd=1&word=hack

a. Informal To alter (a computer program): hacked her text editor to read HTML.
b. To gain access to (a computer file or network) illegally or without authorization: hacked the firm's personnel database.

A is the one I think of when I think of a hack but b is the one you seem to prefer.

All of the scenarios I described are hacks under the definition in b.

re: "Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."

Hacking is fundamentally an activity designed for extortion and self-aggrandizement, not for benefiting society in any way.

Hmmm... This is not easily duplicated along with the fact that he did have to lay his finger on the home button twice before it registered. The average thief is not doing all this just for your phone. It would be easier to just get or even guess the lock code than to go through all this.

I completely disagree. If you have minimal training this is not hard at all. Place the stolen phone in a metal safe so it cannot get remotely wiped, wait a couple of days for the battery to die, lift a fingerprint from the home button and voila, access to the phone.

Anyway, the average thief does not do any of this because he sells the phone within minutes of being stolen. The guy that buys the stolen phone is the one doing the hacking and the reselling.

Any security measure is meant to keep out honest people, just like the locks on your doors.
If they (crooks) want in, they will fine a way in, you just need to hope it holds up long enough to call the cops or grab a gun, or in this case, wipe the device.

Basically the only people who benefit from this limitation are law enforcement as now all they need are your fingerprints to gain access to your phone.

Oh no, now they are going to have to put an eye scanner on the iPhone 6... Time will tell if it has another vulnerabilities, let's hope not.

Hacked. It's not a hack. We'll potato, patato. Looks like unauthorized access to me. Looks like a hack. Everyone is focusing on the random iPhone thief gaining access to the phone. What about the stalker boyfriend/girlfriend who wants to go through your phone, who actually has the time to use this recipe.

To clarify - this is NOT an example of hacking the iphone. The correct term is 'spoof'. It's authentication system has been spoofed. The difference is important. Hacking the system implies it was working fine but someone had to alter the software/hardware to make it work for a different purpose or in a different way. This hasn't been done.

Using the correct term is actually pretty important here. When you say the system has been spoofed, it means it can be fooled out of the box, without the system being modified. Because this has happened (in a very simple way by lifting a print), the premise for it as a biometric system is fundamentally bad (like we never saw that coming). This is worse than if it had been hacked.

No security is going to be perfect. I myself ( don't have a iPhone 5S yet) use a long passcode - and usually have my passcodes to be at least 8 characters long - and sometimes 12. Which is a pain in the neck every time I unlock my phone. Is it possible to combine touch ID with a 4 digit pin? And require both? I assume combining the two would be as secure as a 8-12 digit passcode.