Touch ID fooled - not hacked - by a lifted fingerprint

The Chaos Computer Club - a Germany-based group of computer hackers - claims to have fooled Apple's Touch ID fingerprint technology, which makes its debut on the new iPhone 5s. While a YouTube video demonstrating the trick is entitled "hacking iphone 5S touchID" (and is being reported by some organizations similarly) it is in point of fact not a hack. But we'll get to that in a moment.

In a blog post describing the procedure, Chaos Computer Club says:

A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

The one minute video shows someone using their index finger to register Touch ID on a newly set-up iPhone 5s. Once the setup has been completed, they then apply a tape to their middle finger which, presumably, contains a transfer of the index fingerprint. That unlocks the phone.

The Chaos Computer Club explains how the process to produce the fingerprint was made. It involves photographing a fingerprint at 2400 dot per inch resolution.

The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

So this isn't a procedure that someone is likely to casually reproduce just for the sake of unlocking your phone. But Chaos Computer Club spokesman Frank Rieger says biometric security like Touch ID has more nefarious implications.

Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

To its credit, Chaos Computer Club isn't calling the spoof a hack, but that isn't stopping it from being widely misreported, thanks in part to the sloppy title on the YouTube video. But what is the point of accuracy when there are page views to be had?

Peter Cohen