And, someone claims to have hacked Apple’s Touch ID– the highly vaunted fingerprint identity feature on iPhone 5S. If a fingerprint identity sensor can be hacked so easily, then what’s the point?
Hacked, vs. Compromised vs. Fooled
First, let’s do a recap of Touch ID, what it does, and why it’s useful. Apple claims that about half of all iPhone users don’t use a password to lock their phones.
Why? Ostensibly, entering a password 20 times a day to unlock the iPhone is a flat out hassle of epic proportions, hence most iPhone’s are not locked.
The Touch ID sensor in iPhone 5S makes unlocking as easy as touching the iPhone’s Home button. Typical Apple. Ease of use, and improved security.
Enter Chaos Computer Club. The Touch ID sensor has been hacked, right? Uh, not quite.
Actually, Touch ID has been fooled by a hacking group which jumped through a few hoops to grab a fingerprint, recreate the fingerprint, and apply some CIA-like spy techniques to use the faked fingerprint to unlock a new iPhone 5S.
Here’s how it works.
First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
Despite the headlines that say Touch ID hacked, and fingerprint identity sensor broken into, the reality is different, and yet far more simple. The hackers fooled the sensor with a complex faked fingerprint which caused the iPhone to unlock.
So, fingerprint sensor identity isn’t a good way to secure your iPhone, right? Uh, not quite.
First, someone needs to steal your iPhone. And, then, they need a crystal clear imprint of the fingerprint used to unlock the iPhone 5S.
Third, they need to walk through the proper steps outlined above to cause the phone to unlock. Try too many times without success and the iPhone 5S can erase itself.
Finally, if you’ve lost your phone or had it stolen by CIA or KGB operatives, you probably have worse problems than a faked fingerprint.
Also, the Touch ID sensor was not hacked; only fooled by the fake fingerprint.
Touch ID vs. Password
This needs to be understood. Apple isn’t claiming absolute security with Touch ID. The claim is convenient security. Touch ID is far more secure than a four digit password, and far easier to use a few dozen times each day. That’s it.
Minnesota Senator Al Franken, of Saturday Night Live fame, chimed in with a few questions and some obvious but misguided observations.
If someone hacks your password, you can change it — as many times as you want. You can’t change your fingerprints. … And you leave them on everything you touch; they are definitely not a secret. Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.
Sounds ominous, right? Except that you can change your fingerprint; at least, the fingerprint you use to unlock the iPhone. Yes, fingerprints are left on nearly everything, but they’re not stored on the iPhone (except maybe the screen or back). Finding one of your fingerprints is child’s play, and it always has been, so how is it a fingerprint could be used to impersonate you for the rest of your life? It cannot.
That’s a ridiculous question in an unlikely, improbable, but remoter than remote possible scenario– for CIA agents. Touch ID is for convenient security, not absolute security, so it has the value Apple says it has. It’s a quick and easy way to unlock your iPhone, a quick and easy way to authenticate online purchases from the iPhone. Nothing less, and nothing more claimed.
Is Touch ID absolute security? No. There’s no such thing (a fact not mentioned by the so-called hackers or critics).
Will Touch ID improve and become more secure? I have no doubts that future versions will provide better scans, and more easily recognize fake fingerprints. What Apple has done is bring a higher level of security and more convenience to the average smartphone user.
What’s interesting about the Chaos Computer Club video is the process they used to fool the sensor. Look closely. The so-called hacker first used his fingerprint to setup Touch ID, then they made a copy of the fingerprint, then, the same hand (not finger) was used to apply the fake fingerprint to the Touch ID sensor to unlock the phone.
As to whether or not the technique actually works as demonstrated and can be replicated easily by others, the jury is still out. As to whether or not Touch ID is an improvement over a password– for security and convenience– there is no doubt.