September 24, 2013 12:29 pm

How the iPhone 5S fingerprint scanner was hacked

AP Photo/Ng Han Guan

TORONTO – Two days after the iPhone 5S hit the shelves, German hacking group Chaos Computer Club hacked the TouchID fingerprint scan.

How did they do it? According to the CCC website:

  • fingerprint of the user is photographed with 2400 dpi resolution
  • image is cleaned up, inverted and laser-printed with 1200 dpi onto transparent sheet with a thick toner setting
  • pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet
  • after it cures, thin latex sheet is lifted from the sheet, breathed on (to make it a tiny bit moist) and then placed onto the sensor to unlock the phone

Watch the video here:

The post said the CCC’s biometrics hacking team was responsible, with a hacker nicknamed Starbug finding the key.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token,” said Frank Rieger, spokesperson of the CCC, in a statement on Saturday.

Story continues below

The group also noted this hacking method has been around for years; the difference is they needed a higher resolution for their fake because Apple’s sensor has a higher resolution than previous sensors.

The hack was announced on IsTouchIDHackedYet.com along with the prize of thousands of dollars and some bitcoin, which will be donated to CCC-Berlin spinoff Raumfahrtagentur (no word if the Bourbon and other bottles of booze will be donated).

U.K. computer security researcher Nick DePetrillo was one of the bounty donors, and tweeted the following Monday afternoon:

Fellow computer security expert Robert Graham wrote a blog post Monday on what the hack means.

Graham believes that while it’s not too much trouble for a private investigator or a kid with lots of time on his hands, TouchID “isn’t completely useless.” He said many people don’t bother to enter a 4-digit PIN to lock their phone, so if people are using Touch ID security instead of none, it’s a good thing.

He also suggested a way to prevent the hack: use your ring or pinky finger since you use those less, which means they’re the most difficult to retrieve from the surface of your phone or other surfaces you touch.

© Shaw Media, 2013

Report an error

Comments

blog comments powered by Disqus Add a Comment