Mobile Technology

Hackers claim to have bypassed iPhone 5s' Touch ID fingerprint authentication system

Hackers claim to have bypassed...
Hackers demonstrate a workaround to Apple's touted Touch ID system (photo from Starbug's video demoing the trick)
Hackers demonstrate a workaround to Apple's touted Touch ID system (photo from Starbug's video demoing the trick)
View 2 Images
Hackers demonstrate a workaround to Apple's touted Touch ID system (photo from Starbug's video demoing the trick)
Hackers demonstrate a workaround to Apple's touted Touch ID system (photo from Starbug's video demoing the trick)
A dummy fingerprint from Chaos Computer Club's "tutorial" for bypassing fingerprint biometrics (Photo: Chaos Computer Club)
A dummy fingerprint from Chaos Computer Club's "tutorial" for bypassing fingerprint biometrics (Photo: Chaos Computer Club)

Hackers out of Germany have already found a workaround to the iPhone 5s' Touch ID system. Using a dummy fingerprint obtained from a real fingerprint, the hacker Starbug was able to unlock a phone in a hack that an outside group is certifying. Claiming fingerprint biometrics were never secure in the first place, the hackers say it was a simple matter to get access.

The Chaos Computer Club used a technique that relies on obtaining a real, physical fingerprint for the phone’s user. The print is dusted, photographed, and laser printed onto overhead transparency. Crazy Glue is applied over the copy to create a membrane which acts as the dummy fingerprint. The club argues that Apple’s improvements to the technology only involved a higher resolution of scanning, and thus, the only change to the hack was to photograph and print a higher resolution image.

While it’s important to note that the storage of the numerical fingerprint data itself is not known to be hackable and the information is not shared beyond the phone, one of the selling points of Touch ID is that it can be used to make purchases and unlock a phone that hasn't been rebooted. Additionally, fingerprints can be obtained from any hard smooth surface, such as the iPhone itself, creating a situation where the lock is bundled with its very own key, though this scenario was not attempted in the club’s hack.

The website Is Touch ID Hacked Yet? documented and will certify the legitimacy of the hack.

In as statement on the website, the club makes it clear that their issue is with the industry’s increasing reliance on biometric technology which they find to be unsafe and unwise.

Starbug's video documenting the initial setup of the iPhone’s Touch ID and the subsequent hacking can be seen here.

Source: Chaos Computer Club, Is Touch ID Hacked Yet, Apple via The Guardian

A tester I used to work with (when we were working on biometric security some 14 years ago) used to say, "Hah, biometrics! The password you can never change."
Steve Lane
Not a very impressive hack. It might just work for a nosey partner or secret agent with a strategically placed wine glass but otherwise not a realistic proposition. It will be almost impossible to get an unsmudged print from the phone. I have an all glass phone and although it is a fingerprint magnate they are all unsurprisingly hopelessly smudged. The real challenge is in unlocking any iPhone 5s by electronic means.
Paul Sheriff
not that great i agree some 1 would have to go to great lengths to get your finger print and follow you about its a iPhone not a bar of gold its not like the Mafia will be cutting fingers of soon and as for a partner looking in your phone well when drunk use the finger to access the phone then add your own print to the list job done
No one cares whats on your phone, except the government and they don't need your fingerprint when they tap the service provider.
Ron Spicer
Duh, like who cares any one in there right mind knows there is no such thing as a 100% secure computer device (except a dead one with out any previously stored data). The point of finger scan is for a simple protection, better then pin code of 4 numbers. Combine finger scan with a pin code and bam, even a bit safer from easy access. Easier then a 15 place pass code of mixed numbers, symbols, and letters of which some have to be capital. Who likes trying to remember that. I do not like the idea of a retina scan of my eye so for now hackers waste your time showing it can be done we already new that. But we also know that our cars can be stolen also. Or our encrypted WIFI can be hacked. Maybe if people were not so devious and bad full of doom the world could just go on a bit longer before self destruction.
A lot of fanfare about nothing. Firstly, you will need to copy the correct fingerprint (all ten are different), so you have a one in ten chance there. Then there is getting the cooperation of the owner of the iPhone, unless he's dead in which case you can steal ten fingerprints while your thieving the phone. Secondly, is it worth all that trouble just to steal a phone? I'll continue to rely on the fingerprint, thank you very much, and if it is ever compromised, which I doubt, then I'll just scan another finger, too easy.
Chris Winter
While not really a hack, i think those defending apples move to fingure print scanning need to take a step back and think about where we are heading with this, and the implications to our own privacy and human rights.
At present, you are only "fingerprinted" if you commit a crime.
This opens up the possibility for EVERYONE to be identified in this way. Sure it's only local to the phone NOW....but for how long? And what other companies are watching to see if the public lets them get away with it?
No i dont wear tin foil hats OR fear the system. But i do apprciate my right to be truely free as an individual and thus I excercise my right to NOT buy into this way of doing things.
Equally, others are free to adopt it, but with eyes wide open.
@Chris This is incorrect.
If you work for certain institutions they WILL fingerprint you. E.g. Working for a Bank. They already are using fingerprinting beyond if you commit a crime.
Government is collecting Meta-Data on every call we make, and receive, e-mails, tweets, they are recording every phonecall in those two new facilities they just built out west. (just in case they ever THINK you have committed a crime, ) then they get a warrant and listen to everything recorded there. This is , of course after a computer has scanned those calls for key words relating to terrorism (Have you seen the list of key words? It's HUGE!) We know Government has pressured Carriers into providing access to private data while forbidding the carrier to notify the targeted citizen, and now phones will collect finger prints......hmmmm. For what reason do you believe the prints will stay local to the phone? 911 GPS can not be turned off in the new phones, unless the phone is turned completely off, so why would the phone be restricted to not send any other data? like a stored fingerprint to central storage for "safe keeping" or cloud storage, as a back-up/ restore feature? This is not paranoia, too many lies and backdoors have come out in the news lately for that. We are being profiled by our own Government, and I don't like it at all.