summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--updates/2013/ccc-breaks-apple-touchid.en.md72
1 files changed, 72 insertions, 0 deletions
diff --git a/updates/2013/ccc-breaks-apple-touchid.en.md b/updates/2013/ccc-breaks-apple-touchid.en.md
new file mode 100644
index 00000000..61dfe186
--- /dev/null
+++ b/updates/2013/ccc-breaks-apple-touchid.en.md
@@ -0,0 +1,72 @@
1title: Chaos Computer Club breaks Apple TouchID
2date: 2013-09-21 22:04:00
3updated: 2013-09-22 18:11:56
4author: frank
5tags: update, pressemitteilung, biometrie, biometrics, apple, touchid
6
7The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.
8
9
10<!-- TEASER_END -->
11
12Apple had released the new iPhone with a fingerprint sensor that was
13supposedly much more secure than previous fingerprint technology. A lot
14of bogus speculation about the marvels of the new technology and how
15hard to defeat it supposedly is had dominated the international
16technology press for days.
17
18\
19"In reality, Apple's sensor has just a higher resolution compared to the
20sensors so far. So we only needed to ramp up the resolution of our
21fake", said the hacker with the nickname Starbug, who performed the
22critical experiments that led to the successful circumvention of the
23fingerprint locking. "As we have said now for more than years,
24fingerprints should not be used to secure anything. You leave them
25everywhere, and it is far too easy to make fake fingers out of lifted
26prints." \[1\]
27
28\
29The iPhone TouchID defeat has been documented in a [short
30video](http://www.youtube.com/watch?v=HM8b8d8kSNQ).
31
32\
33The method follows the steps outlined in [this
34how-to](http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en)
35with materials that can be found in almost every household: First, the
36fingerprint of the enroled user is photographed with 2400 dpi
37resolution. The resulting image is then cleaned up, inverted and laser
38printed with 1200 dpi onto transparent sheet with a thick toner setting.
39Finally, pink latex milk or white woodglue is smeared into the pattern
40created by the toner onto the transparent sheet. After it cures, the
41thin latex sheet is lifted from the sheet, breathed on to make it a tiny
42bit moist and then placed onto the sensor to unlock the phone. This
43process has been used with minor refinements and variations against the
44vast majority of fingerprint sensors on the market.
45
46\
47"We hope that this finally puts to rest the illusions people have about
48fingerprint biometrics. It is plain stupid to use something that you
49can´t change and that you leave everywhere every day as a security
50token", said Frank Rieger, spokesperson of the CCC. "The public should
51no longer be fooled by the biometrics industry with false security
52claims. Biometrics is fundamentally a technology designed for oppression
53and control, not for securing everyday device access." Fingerprint
54biometrics in passports has been introduced in many countries despite
55the fact that by this global roll-out no security gain can be shown.
56
57iPhone users should avoid protecting sensitive data with their precious
58biometric fingerprint not only because it can be easily faked, as
59demonstrated by the CCC team. Also, you can easily be forced to unlock
60your phone against your will when being arrested. Forcing you to give up
61your (hopefully long) passcode is much harder under most jurisdictions
62than just casually swiping your phone over your handcuffed hands.
63
64\
65Many thanks go to the Heise Security team which provided the iPhone 5s
66for the hack quickly. More details on the hack will be reported there.
67
68**Links**:
69
70\[1\] [Fingerprint Recognition at the Supermarket as insecure as
71Biometrics in
72Passports](https://ccc.de/en/updates/2007/umsonst-im-supermarkt) (2007)