Hackers bypass Apple's Touch ID, earn thousands of dollars

Share this article:
The Chaos Computer Club (CCC) became the first group to bypass Apple's Touch ID.
The Chaos Computer Club (CCC) became the first group to bypass Apple's Touch ID.

It took less than 48 hours for a European hacker association known as Chaos Computer Club (CCC) to become the first group to bypass Apple's Touch ID, the anticipated fingerprint scanning security component featured in the iPhone 5s.

The collective has broken past previous fingerprint scanning features before and all it took to duplicate the results on Apple's Touch ID was everyday household items, according to a Saturday post on their website that contained detailed instructions.

First, a high resolution photograph of the user fingerprint is taken, cleaned up, and then laser printed onto a transparent sheet with a thick toner setting. Pink latex milk or white wood glue is then smeared into the pattern created by the toner on the transparent sheet.

After the latex or glue settles, it is lifted from the sheet, breathed on to make it moist and placed on the sensor to unlock the phone. The group released a short video showing how the finished product can dupe the Touch ID sensor.

“In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake," wrote CCC hacker Starbug, who spearheaded the undertaking.

Starbug is set to earn thousands in cash and prizes courtesy of a crowd-funded initiative launched by security researchers Nick Depetrillo and Robert David Graham, who launched a website encouraging early iPhone 5s adopters to bypass the security feature by lifting a fingerprint and reproducing it.

The take would have been more, but a $10,000 pledge by venture capital firm I/O Capital Partners was reneged shortly before the prize winner was announced, according Depetrillo and Graham's website. Updated terms and conditions were posted to the firm's website on Monday.

Seeking an explanation, Arturas Rosenbacher, an I/O Capital Partners founding partner, did not respond to a Monday email from SCMagazine.com.

“As we have said now for more than years, fingerprints should not be used to secure anything,” Starbug wrote. “You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, told SCMagazine.com on Monday that the CCC attack shows how vulnerable the Touch ID to a skilled adversary. 

Miller acknowledged the Touch ID's ease of use, but when it comes to security, the prolific researcher suggested sticking with the four-digit pin since it is harder to bypass.

“This means as a user, you have to decide who you are worried about,” Miller said. “If you are worried your kids are going to get on your phone and buy in-game purchases or that your coworkers are going to snoop on your text messages, or the cab driver when you forget it on the way to the airport, Touch ID is a nice way to keep them out.  If you are worried about professional cyber criminals, law enforcement, or guys like me, then stick with PINs.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Ground system for weather satellites contains thousands of 'high-risk' bugs

Ground system for weather satellites contains thousands of ...

An audit of the Joint Polar Satellite System ground system revealed thousands of vulnerabilities, most of which will be addressed in two years when the next version of the system ...

Threat report on Swedish firms shows 93 percent were breached

The study by KPMG and FireEye also found that 49 percent of detected malware was unknown.

Former acting HHS cyber director convicted on child porn charges

Former acting HHS cyber director convicted on child ...

Timothy DeFoggi, who was nabbed by the FBI last year in its Operation Torpedo investigation was convicted by federal jury in Nebraska.