Chaos Computer Club claims to have "cracked" the iPhone 5s fingerprint sensor

Filed Under: Apple, Featured, iOS

The biometrics team of Germany's well-known Chaos Computer Club (CCC) claims it has "cracked" Apple's Touch ID system.

Touch ID is the fingerprint sensor and the associated software that provides a biometric lock for the brand new iPhone 5s.

Fingerprint readers have been common add-ons to laptops for many years, but never really caught on.

Here's why.

Firstly, fingerprints aren't secret.

All of us inadvertently leave good-quality prints on many surfaces, such as glass, metal and hard plastics.

Additionally (in many countries in the post-9/11 world) many of us deliberately, often unavoidably, have allowed the authorities, our employers and even businesses such as banks to take high-quality copies of our prints, and to keep them pretty much for ever.

Secondly, you can't change fingerprints if there's a breach, like you can an ephemeral password.

Thirdly, fingerprint sensor technology has been found wanting in the past, with glue, gelatin and even photocopies with a very thick layer of toner being used as copies that would pass muster as a real finger.

Fourthly, when you're logging into your laptop, being able to use your fingerprint doesn't add an awful lot of convenience.

You've already got a perfectly servicable keyboard in front of you when you open up your laptop, on which you are probably going to type your username anyway, so why not just stick with what you know: a typed-in password?

Fifthly, there's something unappealing to many people about using biometric data such as fingerprints, DNA or retina scans for anything but the most serious matters of identification.

Biometric objections typically lie somewhere between the visceral and the spiritual, which makes them hard to quantify.

But it is perfectly understandable (laudable, even) to be uneasy about using "something you are" as a way of identifying yourself, especially if it's merely to use a piece of computer hardware you already own outright.

Nevertheless, despite these objections, Apple's Touch ID is supposed to be - may yet still be! - the biometric implementation that will change all this.

It's built in to the new iPhone 5s, right in the button you press to start everything up anyway; it seems to work reliably, so it doesn't lock you out all the time; and it doesn't store digital copies of your fingerprints centrally where they might leak to the world in a data breach.

Better yet, it means you don't need to type in a complicated password on the iPhone's fiddly on-screen keyboard.

Best of all, it works conveniently even for people who would rather do without a regular passcode altogether, so for many users, it might succeed entirely on the basis that "something's better than nothing."

As Apple itself very proudly points out on its website:

You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.

Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password.

The only fly in the ointment now is that it looks as though Touch ID isn't "highly secure," after all.

It's perhaps not as futuristic as Apple thought, either: the CCC hackers say that they used a technique documented in CCC materials back in 2004.

Greatly simplified, the fingerprint cloning process works like this:

  • Take a hi-res (2400dpi) photograph of the fingerprint.
  • Digitally invert the image so that the valleys of the print are black.
  • Laser print (1200dpi) the image with a very thick toner setting.
  • Smear white woodglue (or latex) over the printout and allow to set.
  • Carefully peel off the glue or latex sheet.
  • Breathe on the surface so it's slightly moist and conductive.
  • Unlock phone.

So last decade!

The really intriguing aspect of the claim is that the CCC guys didn't start with a photograph taken directly from a finger, which would typically require some sort of co-operation (or heavy inebriation) on the part of the victim.

They say that they used:

...the fingerprint of the phone user, photographed from a glass surface.

The next question is, will they, can they, claim the crowdsourced prizes on offer for doing what they say they did?

And the final question: should you use Touch ID?

I'm the wrong person to ask, because I'd probably say, "No!" on the basis of point 5 alone - a visceral sense that I'd simply rather not do so, especially since I know how to type perfectly well.

My advice, then, is to consider points 1, 2 and 3 above.

If you're happy in the face of those objections, and you aren't fussed by point 5, then...

...hey, it's better than no passcode at all!

, , , , , , ,

You might like

11 Responses to Chaos Computer Club claims to have "cracked" the iPhone 5s fingerprint sensor

  1. Tony · 743 days ago

    Currently a phone untouched for 48 hours, or powered off, does still require the password before the Touch ID can be used. What would your thoughts be if that were modifiable to say an hour or 2 of no use and Touch ID expires, requiring the password?

    • Paul Ducklin · 743 days ago

      It wouldn't undo the CCC "hack" or make the biometrics any stronger :-)

      I suppose it might be a good idea to make the Touch ID timeout shorter. Like I said, I'm probably the wrong person to ask, as my personal timeout for Touch ID, were I to acquire an iPhone 5s, would be 0 hours - I'd rather enter the password every time.

  2. John · 743 days ago

    They have published their methodology so let's see if an independent/trusted 3rd party can replicate their results.

    For the securosceptic, replication not claims is the bottom line.

    Frankly the complexity of the method used still seems to offer more security than the person sat next to me watching as I tap in a PIN or just looking at the smears on the screen to break a dot lock. Law enforcement can unlock a 4 digit iPhone PIN in 2.5 hours, ~9-10 numeric digits is recommended for brute force to be unfeasible.

  3. Scott · 743 days ago

    Complex solution. Yes. Times Ten!
    Hackers or spys are assuming users will use index finger, right hand or index finger, left hand, depending on dominance. But the solution is to simply use an alternate finger - and this solution is 10x more difficult.
    I think the fingerprint unlock will speed up our ability to access phones and other devices.
    Just as we use CAPITAL letters and odd patterns in our passwords, now we need to use ring finger, left hand or pinkie finger, right hand if we think a hacker or jealous lover is intending to compromise our phone.

    • anon · 742 days ago

      10x more difficult means it will take about 10 minutes longer.

  4. Jack Wilborn · 743 days ago

    As a retired Law Enforcement Officer, I have yet to see this type of forgery actually work. The many tricks have been tried many times, but as I yet I haven't seen any that actually works. I wouldn't use it, which is besides the point, but...

    However, there is always the first time!


  5. eric · 742 days ago

    I've been using a fingerprint scanner on a laptop for the last 5yrs or so(hohum..)... with UAC set on for Windows, it's a great convienience when switching in/out of admin mode, works almost first go every time.

    I'm quite happy for the CCC to do their hacking, but I'd be more interested to know how secure the electronics side of it is, ie. converting/linking the scanned object to a password, I think that's more of a gamechanger if that's cracked.

    After all, in my case at least my laptop is securely locked up when not in use...take as many photocopies as you like CCC!!!!

  6. Guest · 742 days ago

    Well, that didn't take long.

  7. Paul · 741 days ago

    I'm surprised that nobody has pointed out the easiest way in yet - the user's own finger! I don't know about anyone else, but, when I'm asleep, I'm ASLEEP. It would be very easy for someone to put my phone up to my finger (or to try all 10) in order to unlock my phone and gain access to everything. This means that anyone who has access to me when I'm asleep or otherwise unconscious has access to all of my information. Even if my significant other, children, family, and friends are trustworthy, what about strangers on a long plane ride or any other situation where I might not be fully with it in a public setting such as a bar? If I use a password instead, physical proximity to me will only get you close to the phone itself -- it doesn't literally give you a hand with the lock too.

  8. Jack Wilborn · 741 days ago

    I'm surprised that we always think "Fingerprint". We have successfully prosecuted criminals with prints from other parts of the body as they are as unique. How about a nose or toe print. Maybe a problem in Alaska, but all body parts have the same basic design. Use something other than your finger.


    • You'd get some pretty odd looks pressing your phone up to your nose every time you wanted to answer a call though -- maybe you could use your ear.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog