Fooling Touch ID is anything but trivial, says security boffin

By Peter Cohen
published

German hacker collective the Chaos Computer Club (CCC) grabbed headlines after showing a method to fool the iPhone 5s's Touch ID fingerprint scanner, but it's nothing that ordinary people need to worry about too much, according to a security expert.

CCC hacker Starbug created a fake fingerprint by scanning a real one, printing it and ultimately creating a fake print by transferring it to latex rubber or wood glue. The group claims that this is proof that biometric security isn't effective and shouldn't be used. Starbug calls his method "very straightforward and trivial."

Security expert Marc Rogers - director of security operations at the DEF CON hacking conference and principal security researcher for mobile security software developer Lookout - posted an entry to the Lookout blog entitled Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. Rogers explains:

Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.

He talks about some of the issues involved in acquiring an unsmudged print and transferring it. Contrary to Starbug's claims of triviality, Rogers says:

It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer.

Rogers underscores that Touch ID is useful as a convenience factor, not as an improved method of security.

Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.

Rogers also says that Touch ID would be improved if it were a two-factor authentication system - something you have (in this case, your fingerprint) and something you know - a PIN number or passcode. You can't install Touch ID without putting a passcode on your iPhone 5s as well, so the parts are there, if Apple's willing and able.

Over the years a number of studies have been done on smartphone security. And while the number of smartphones in use, and the variety of operating systems in use has increased, the number of users who protect their devices with a lock code or passcode has stayed within a few digits of 50 percent.

As Rogers points out, the number one reason why smartphone users don't use a passcode is because they're inconvenient. Touch ID handily addresses the convenience problem. While biometric security isn't perfect, no security is perfect.

If Touch ID's lasting contribution will be to provide that other 50 percent with a viable method of locking and unlocking their phone, Apple will have made a really positive contribution to the smartphone market.

What do you think? Is Rogers understating the risk to Touch ID users? Has Chaos Computer Club overstated how easy Touch ID is to override? I want to hear from you, so share your thoughts in the comments.

Source: MacRumors

25 Comments
  • From the description of the process given in your original article, it seems to me a deliberate, planned action that would be taken to target a particular person. I currently use a passcode, which annoys me, so I'm looking forward to TouchID when my 5s arrives. There were some opinions that the TouchID feature would assist in the widespread use of iPhones in the military etc fields. It would be interesting to know what effect the forged fingerprint results have on the introduction of iPhones to these agencies, if any. Sent from the iMore App
  • I think CCC very much overstated the issue and is somewhat bias based on their views / paranoia of privacy in general. There opinion is very suspect to begin with because they've been against any form of personal identification for sometime now. They believe any form of identification is a privacy concern and come off very paranoid of 'big brother'. That said, the general snatch and grab thief is never going to hack this unless they go stalker and spend money. The snatch and grab thief is after quick money and easy info they can use/abuse. Besides,, really, all they gotta do is hold you up with a gun and tell you to put your finger on the phone and ask you for your pass code if they REALLY want the info. Much easier and much more likely than going all CSI! I say it's very much in the plus category and adds to the overall experience for those who would otherwise not use a passcode.
  • The old saying "whatever man makes, man can get into." Holds true to Mobil devices. Nothing is totally secure. The best thing, never leave you phone laying around. Use all the security measures that are made to work on the device. I like the idea of fingerprint, and a pin. Sure it's a pain, but a two system approach works well. The best security is do not loose it in the first place. I cannot tell you how many times I will be at Starbucks, and see someone go to the restroom, and leave their phone on the table. Sent from the iMore App
  • The author of the hack submitted a video showing how easy it is and did an interview with ArsTechnica.
    http://arstechnica.com/security/2013/09/touchid-hack-was-no-challenge-at... Basically, Marc Rogers has some explaining to do as he is vastly overstating the amount of effort required. p.s. kudos for using boffin.
  • Why not provide a highly secure option: Require three fingerprints in sequence. That's hundred of combinations, not counting toes.
  • Even two in succession would be enough. Already, they need to find a complete, clear print. Next, the tough part, you need to hope it is the right one! You have 5 chances to find out. This is not going to be an easy thing to do in the wild.
  • That should be an option for those that have really secure information on their phones, me I just need one since I need to secure the phone buit I do not hold secure sensistive government data, that would cause someone to take the time and effort in order to get it. I am doing this for convenience, I reach into my pocket and the phone is securely unlocked before it is out of my pocket. I have my phone set to lock after one minute so I have to use the PIN many times a day.
  • That sounds awesome actually!
  • Not a bad idea! As long as it's an option and not a requirement.
  • I'm agree with "Touch ID is useful as a convenience factor, not as an improved method of security" . It takes a lot of effort just to hack/unlocked an iPhone or a stolen one like CCC did... by scanning the real one first? I think they just want to show the world that they can do it very easy and just for fun. The thing that should be worried is: 1. how about if the person got injured on all of the fingers and perhaps needs to put on bandages? 2. Beware to put your phone when you're about to sleep, your wife might use your finger to unlocked it while you're sleeping and see things you don't wan't her to know or she might buy something from eBay :)
  • Maybe iOS 7.1, or 7.2, or iOS 8 will add an enhanced option to add pass code doe two step Sent from the iMore App
  • So here's how I see it. Your phone has oodles of smudged fingerprints on it. I think we could comfortably say that the primary fingers used on our phones wouldn't be fingers, but our thumbs. So say, somehow, a person gets their hands on your phone at a bar because you left it beside your drink cup. The thief grabs your phone and your cup, runs off. They have to come home with both and the first thing they need before they get anything is to figure out if there any next to perfect fingerprints available. So now they have a fingerprint or two, likely from your dominant hand. Also this will have been done a fair bit of time after they snag your phone. Easily long enough to have marked it lost via find my iPhone. Sure, the thieves could turn it off, but then they can't unlock it because the touch ID won't work once the phone has been rebooted. SO say by some fluke you pass out drunk on the floor of the bar and are dragged home by someone and don't realize it until the next day... During that time, the thieves will have pulled the print (or prints) from wherever. They print one, or many, of then off and create this system. The problem is, say they even get 2 good fingerprints, the chance of one of those being THE fingerprint used to unlock your phone. Sure, maybe they would be... But come on now. This whole thing is stupid. Use your off hand and an odd finger to unlock the phone. A pinky, ring finger, your nipple, penis, whatever. The penis unlock would sure guarantee no one would ever steal, or touch, your phone. Ever. It doesn't make sense, it's far harder to get not only a clear enough fingerprint, but a clear enough fingerprint that is used to unlock the phone. Assuming you use an off hand, don't use 5 fingers for the TouchID spots and don't stupidly leave your device where it could get grabbed ALONG with your fingerprint, you have all of nothing to worry about. Seriously, who thinks this is a real risk?
  • Exactly, well put.
  • No hacking is trivial, and people still do it everyday. Spoofing someone's MAC address is also not trivial, and also commonly done. The security expert overstated the complexity in faking a fingerprint. Just look at this link, and were not talking about experts here, with expensive equipment and lots of expertise, just motivated people:
    http://youcure.me/en/news/fingerprint-scandal-in-brazil-4939
  • I had something stolen and the police looked for finger prints of 300 prints they could not find one full print it is not that easy and you do know that not everyone is going to use the thumb or there right hand I use my left . Goverment agencies use finger print all the time .
  • Mythbusters, from 2006, that's seven year old replication tech:
    http://www.youtube.com/watch?v=3Hji3kp_i9k Or, done the cheap way:
    http://www.youtube.com/watch?v=T6TFNXm3eBI
  • That is perfect conditions you try getting a perfect print . You see this crap on tv and believe everything mythbusters also made a bridge with duck tape . I saw that replicated the wrong way and they fell and broke some bones . I have done work at the pentagon they trust it . People see too much fantasy on tv and believe it . You try it some time and by the way this info I got was from csi not a tv show real life
  • Still waiting for Peter's article: 10 reasons why you should not use Touch ID...yet.
  • The fact that Touch ID was defeated a day after the iPhone 5S went on sale is proof enough that it can be done. Hell, it has been done. Trying to down play the fact that it was done doesn't change the fact that it was done. It was cracked in a DAY!! That's a bit troubling, in my opinion. Glad I got the 5C and saved the hundred bucks for something else.
  • I think the finger print ID is just for convenience and casual security and casual privacy like your kids or better half getting into your phone. No concerns for me. I'm concerned about hacked the old fashion way someone sticking a gun in my face.
  • Touch ID is security with convenience, as rightly said , no security is foolproof. Breaking into touch ID would require special skills , equipment and time. Days are not far when Apple might integrate an iris scan in the front camera. Sent from the iMore App
  • I think its crazy people think security is an inconvience. I use a password exclusively and it takes no time to use. I am getting my 5s on Friday and I want to be able to use both the Touch ID and a passcode. Most of these people that are too lazy to use a passcode probably haven't gotten their phones or identification stolen. I prefer to have every safeguard I can so that my investment in a phone doesnt go to waste.
  • It's merely fooled the access. Now what? What fantastic stuff can the thief now take? Maybe a grape on Facebook. Seriously guys, this isn't hacking.. The phone can't even be reset without the original password. One word FAIL! Sent from the iMore App
  • Lol **frape** Sent from the iMore App
  • The one thing I don't understand with the touch id is the fact that when turned on, it still gives the option to put in the 4 digit passcode. Why can't I give a thief no option BUT to have to use the touch id?