diff options
-rw-r--r-- | updates/2013/ccc-breaks-apple-touchid.en.md | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/updates/2013/ccc-breaks-apple-touchid.en.md b/updates/2013/ccc-breaks-apple-touchid.en.md new file mode 100644 index 00000000..61dfe186 --- /dev/null +++ b/updates/2013/ccc-breaks-apple-touchid.en.md | |||
@@ -0,0 +1,72 @@ | |||
1 | title: Chaos Computer Club breaks Apple TouchID | ||
2 | date: 2013-09-21 22:04:00 | ||
3 | updated: 2013-09-22 18:11:56 | ||
4 | author: frank | ||
5 | tags: update, pressemitteilung, biometrie, biometrics, apple, touchid | ||
6 | |||
7 | The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided. | ||
8 | |||
9 | |||
10 | <!-- TEASER_END --> | ||
11 | |||
12 | Apple had released the new iPhone with a fingerprint sensor that was | ||
13 | supposedly much more secure than previous fingerprint technology. A lot | ||
14 | of bogus speculation about the marvels of the new technology and how | ||
15 | hard to defeat it supposedly is had dominated the international | ||
16 | technology press for days. | ||
17 | |||
18 | \ | ||
19 | "In reality, Apple's sensor has just a higher resolution compared to the | ||
20 | sensors so far. So we only needed to ramp up the resolution of our | ||
21 | fake", said the hacker with the nickname Starbug, who performed the | ||
22 | critical experiments that led to the successful circumvention of the | ||
23 | fingerprint locking. "As we have said now for more than years, | ||
24 | fingerprints should not be used to secure anything. You leave them | ||
25 | everywhere, and it is far too easy to make fake fingers out of lifted | ||
26 | prints." \[1\] | ||
27 | |||
28 | \ | ||
29 | The iPhone TouchID defeat has been documented in a [short | ||
30 | video](http://www.youtube.com/watch?v=HM8b8d8kSNQ). | ||
31 | |||
32 | \ | ||
33 | The method follows the steps outlined in [this | ||
34 | how-to](http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren?language=en) | ||
35 | with materials that can be found in almost every household: First, the | ||
36 | fingerprint of the enroled user is photographed with 2400 dpi | ||
37 | resolution. The resulting image is then cleaned up, inverted and laser | ||
38 | printed with 1200 dpi onto transparent sheet with a thick toner setting. | ||
39 | Finally, pink latex milk or white woodglue is smeared into the pattern | ||
40 | created by the toner onto the transparent sheet. After it cures, the | ||
41 | thin latex sheet is lifted from the sheet, breathed on to make it a tiny | ||
42 | bit moist and then placed onto the sensor to unlock the phone. This | ||
43 | process has been used with minor refinements and variations against the | ||
44 | vast majority of fingerprint sensors on the market. | ||
45 | |||
46 | \ | ||
47 | "We hope that this finally puts to rest the illusions people have about | ||
48 | fingerprint biometrics. It is plain stupid to use something that you | ||
49 | can´t change and that you leave everywhere every day as a security | ||
50 | token", said Frank Rieger, spokesperson of the CCC. "The public should | ||
51 | no longer be fooled by the biometrics industry with false security | ||
52 | claims. Biometrics is fundamentally a technology designed for oppression | ||
53 | and control, not for securing everyday device access." Fingerprint | ||
54 | biometrics in passports has been introduced in many countries despite | ||
55 | the fact that by this global roll-out no security gain can be shown. | ||
56 | |||
57 | iPhone users should avoid protecting sensitive data with their precious | ||
58 | biometric fingerprint not only because it can be easily faked, as | ||
59 | demonstrated by the CCC team. Also, you can easily be forced to unlock | ||
60 | your phone against your will when being arrested. Forcing you to give up | ||
61 | your (hopefully long) passcode is much harder under most jurisdictions | ||
62 | than just casually swiping your phone over your handcuffed hands. | ||
63 | |||
64 | \ | ||
65 | Many thanks go to the Heise Security team which provided the iPhone 5s | ||
66 | for the hack quickly. More details on the hack will be reported there. | ||
67 | |||
68 | **Links**: | ||
69 | |||
70 | \[1\] [Fingerprint Recognition at the Supermarket as insecure as | ||
71 | Biometrics in | ||
72 | Passports](https://ccc.de/en/updates/2007/umsonst-im-supermarkt) (2007) | ||