Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Hackers bypass Apple’s Touch ID, earn thousands of dollars

It took less than 48 hours for a European hacker association known as Chaos Computer Club (CCC) to become the first group to bypass Apple's Touch ID, the anticipated fingerprint scanning security component featured in the iPhone 5s.

The collective has broken past previous fingerprint scanning features before and all it took to duplicate the results on Apple's Touch ID was everyday household items, according to a Saturday post on their website that contained detailed instructions.

First, a high resolution photograph of the user fingerprint is taken, cleaned up, and then laser printed onto a transparent sheet with a thick toner setting. Pink latex milk or white wood glue is then smeared into the pattern created by the toner on the transparent sheet.

After the latex or glue settles, it is lifted from the sheet, breathed on to make it moist and placed on the sensor to unlock the phone. The group released a short video showing how the finished product can dupe the Touch ID sensor.

“In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake," wrote CCC hacker Starbug, who spearheaded the undertaking.

Starbug is set to earn thousands in cash and prizes courtesy of a crowd-funded initiative launched by security researchers Nick Depetrillo and Robert David Graham, who launched a website encouraging early iPhone 5s adopters to bypass the security feature by lifting a fingerprint and reproducing it.

The take would have been more, but a $10,000 pledge by venture capital firm I/O Capital Partners was reneged shortly before the prize winner was announced, according Depetrillo and Graham's website. Updated terms and conditions were posted to the firm's website on Monday.

Seeking an explanation, Arturas Rosenbacher, an I/O Capital Partners founding partner, did not respond to a Monday email from SCMagazine.com.

“As we have said now for more than years, fingerprints should not be used to secure anything,” Starbug wrote. “You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

Charlie Miller, a security researcher with Twitter who gained fame for finding notable vulnerabilities in Apple products, told SCMagazine.com on Monday that the CCC attack shows how vulnerable the Touch ID to a skilled adversary. 

Miller acknowledged the Touch ID's ease of use, but when it comes to security, the prolific researcher suggested sticking with the four-digit pin since it is harder to bypass.

“This means as a user, you have to decide who you are worried about,” Miller said. “If you are worried your kids are going to get on your phone and buy in-game purchases or that your coworkers are going to snoop on your text messages, or the cab driver when you forget it on the way to the airport, Touch ID is a nice way to keep them out.  If you are worried about professional cyber criminals, law enforcement, or guys like me, then stick with PINs.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.