Hackers from the venerable Chaos Computer Club in Germany have found a method for bypassing the new iPhone 5S Touch ID fingerprint security mechanism. The method, which is the first known technique for circumventing the iPhone’s newest security feature, involves taking a picture of a user’s fingerprint and then creating a latex copy of it to unlock the phone.
Since the TouchID mechanism was unveiled earlier this month, security researchers have been looking for ways to get around it. The CCC appears to have won the race, using a combination of a high-resolution picture and a latex mold of the user’s fingerprint in order to bypass the Touch ID security feature.
“First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market,” the CCC said in a statement.
The group, which has been active in security circles for decades, also posted a video demonstrating the technique. They said they were motivated to defeat the Touch ID in order to show that fingerprint biometrics don’t work.
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, a spokesperson for the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.
Last week, a group of security researchers put together an informal effort to raise money for a bounty to reward whoever was first to hack Touch ID. Starbug, the CCC member who pulled off the Touch ID hack, will get that bounty, which amounts to nearly $10,000 as well as some other prizes, such as Bitcoins, wine and books.
Image from Flickr photos of Randy Chiu.