1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
title: Chaos Computer Club breaks Apple TouchID
date: 2013-09-21 22:04:00
updated: 2013-09-24 17:36:33
author: frank
tags: update, pressemitteilung, biometrie, biometrics, apple, touchid, fingerprint
The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.
<!-- TEASER_END -->
Apple had released the new iPhone with a fingerprint sensor that was
supposedly much more secure than previous fingerprint technology. A lot
of bogus speculation about the marvels of the new technology and how
hard to defeat it supposedly is had dominated the international
technology press for days.
\
"In reality, Apple's sensor has just a higher resolution compared to the
sensors so far. So we only needed to ramp up the resolution of our
fake", said the hacker with the nickname Starbug, who performed the
critical experiments that led to the successful circumvention of the
fingerprint locking. "As we have said now for more than years,
fingerprints should not be used to secure anything. You leave them
everywhere, and it is far too easy to make fake fingers out of lifted
prints." \[1\]
\
The iPhone TouchID defeat has been documented in a [short
video](http://www.youtube.com/watch?v=HM8b8d8kSNQ).
\
The method follows the steps outlined in [this
how-to](http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en)
with materials that can be found in almost every household: First, the
fingerprint of the enroled user is photographed with 2400 dpi
resolution. The resulting image is then cleaned up, inverted and laser
printed with 1200 dpi onto transparent sheet with a thick toner setting.
Finally, pink latex milk or white woodglue is smeared into the pattern
created by the toner onto the transparent sheet. After it cures, the
thin latex sheet is lifted from the sheet, breathed on to make it a tiny
bit moist and then placed onto the sensor to unlock the phone. This
process has been used with minor refinements and variations against the
vast majority of fingerprint sensors on the market.
**Update:**
The process described above proved to be somewhat unreliable as the
depth of the ridges created by the toner was a little too shallow.
Therefore an alternative process based on the same principle was
utilized and has been demonstrated in an extended video available
[here](http://heise.de/-1966044 "Refined TouchID hacking process"). First,
the residual fingerprint from the phone is either photographed or
scanned with a flatbed scanner at 2400 dpi. Then the image is converted
to black & white, inverted and mirrored. This image is then printed onto
transparent sheet at 1200 dpi. To create the mold, the mask is then used
to expose the fingerprint structure on photo-senistive PCB material. The
PCB material is then developed, etched and cleaned. After this process,
the mold is ready. A thin coat of graphite spray is applied to ensure an
improved capacitive response. This also makes it easier to remove the
fake fingerprint. Finally a thin film of white wood glue is smeared into
the mold. After the glue cures the new fake fingerprint is ready for
use.
\
"We hope that this finally puts to rest the illusions people have about
fingerprint biometrics. It is plain stupid to use something that you
can´t change and that you leave everywhere every day as a security
token", said Frank Rieger, spokesperson of the CCC. "The public should
no longer be fooled by the biometrics industry with false security
claims. Biometrics is fundamentally a technology designed for oppression
and control, not for securing everyday device access." Fingerprint
biometrics in passports has been introduced in many countries despite
the fact that by this global roll-out no security gain can be shown.
iPhone users should avoid protecting sensitive data with their precious
biometric fingerprint not only because it can be easily faked, as
demonstrated by the CCC team. Also, you can easily be forced to unlock
your phone against your will when being arrested. Forcing you to give up
your (hopefully long) passcode is much harder under most jurisdictions
than just casually swiping your phone over your handcuffed hands.
\
Many thanks go to the Heise Security team which provided the iPhone 5s
for the hack quickly. More details on the hack will be reported there.
**Links**:
\[1\] [Fingerprint Recognition at the Supermarket as insecure as
Biometrics in
Passports](https://ccc.de/en/updates/2007/umsonst-im-supermarkt) (2007)
|