Chaos Computer Club claims to have “cracked” the iPhone 5s fingerprint sensor

The biometrics team of Germany’s well-known Chaos Computer Club (CCC) claims it has “cracked” Apple’s Touch ID system.

Touch ID is the fingerprint sensor and the associated software that provides a biometric lock for the brand new iPhone 5s.

Fingerprint readers have been common add-ons to laptops for many years, but never really caught on.

Here’s why.

Firstly, fingerprints aren’t secret.

All of us inadvertently leave good-quality prints on many surfaces, such as glass, metal and hard plastics.

Additionally (in many countries in the post-9/11 world) many of us deliberately, often unavoidably, have allowed the authorities, our employers and even businesses such as banks to take high-quality copies of our prints, and to keep them pretty much for ever.

Secondly, you can’t change fingerprints if there’s a breach, like you can an ephemeral password.

Thirdly, fingerprint sensor technology has been found wanting in the past, with glue, gelatin and even photocopies with a very thick layer of toner being used as copies that would pass muster as a real finger.

Fourthly, when you’re logging into your laptop, being able to use your fingerprint doesn’t add an awful lot of convenience.

You’ve already got a perfectly servicable keyboard in front of you when you open up your laptop, on which you are probably going to type your username anyway, so why not just stick with what you know: a typed-in password?

Fifthly, there’s something unappealing to many people about using biometric data such as fingerprints, DNA or retina scans for anything but the most serious matters of identification.

Biometric objections typically lie somewhere between the visceral and the spiritual, which makes them hard to quantify.

But it is perfectly understandable (laudable, even) to be uneasy about using “something you are” as a way of identifying yourself, especially if it’s merely to use a piece of computer hardware you already own outright.

Nevertheless, despite these objections, Apple’s Touch ID is supposed to be – may yet still be! – the biometric implementation that will change all this.

It’s built in to the new iPhone 5s, right in the button you press to start everything up anyway; it seems to work reliably, so it doesn’t lock you out all the time; and it doesn’t store digital copies of your fingerprints centrally where they might leak to the world in a data breach.

Better yet, it means you don’t need to type in a complicated password on the iPhone’s fiddly on-screen keyboard.

Best of all, it works conveniently even for people who would rather do without a regular passcode altogether, so for many users, it might succeed entirely on the basis that “something’s better than nothing.”

As Apple itself very proudly points out on its website:

You check your iPhone dozens and dozens of times a day, probably more. Entering a passcode each time just slows you down. But you do it because making sure no one else has access to your iPhone is important. With iPhone 5s, getting into your phone is faster, easier, and even a little futuristic. Introducing Touch ID — a new fingerprint identity sensor.

Put your finger on the Home button, and just like that your iPhone unlocks. It’s a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don’t have to enter your password.

The only fly in the ointment now is that it looks as though Touch ID isn’t “highly secure,” after all.

It’s perhaps not as futuristic as Apple thought, either: the CCC hackers say that they used a technique documented in CCC materials back in 2004.

Greatly simplified, the fingerprint cloning process works like this:

  • Take a hi-res (2400dpi) photograph of the fingerprint.
  • Digitally invert the image so that the valleys of the print are black.
  • Laser print (1200dpi) the image with a very thick toner setting.
  • Smear white woodglue (or latex) over the printout and allow to set.
  • Carefully peel off the glue or latex sheet.
  • Breathe on the surface so it’s slightly moist and conductive.
  • Unlock phone.

So last decade!

The really intriguing aspect of the claim is that the CCC guys didn’t start with a photograph taken directly from a finger, which would typically require some sort of co-operation (or heavy inebriation) on the part of the victim.

They say that they used:

...the fingerprint of the phone user, photographed from a glass surface.

The next question is, will they, can they, claim the crowdsourced prizes on offer for doing what they say they did?

And the final question: should you use Touch ID?

I’m the wrong person to ask, because I’d probably say, “No!” on the basis of point 5 alone – a visceral sense that I’d simply rather not do so, especially since I know how to type perfectly well.

My advice, then, is to consider points 1, 2 and 3 above.

If you’re happy in the face of those objections, and you aren’t fussed by point 5, then…

…hey, it’s better than no passcode at all!