That was fast.
So, iPhone 5S was officially released two days ago, and Touch ID has already been bypassed. It must have taken an army of L337 haxxors running server farms to crack the protection right? Well, unfortunately for us fans of biometric security, it would seem that the same low tech methods for bypassing still work, even on Apple’s improved fingerprint sensor.
So, as long as you can gain access to someone’s fingerprint, you know those pesky traces of ourselves we leave after touching just about any surface we come in contact with, even potentially ON the fingerprint reader itself, you can spoof someone’s print well enough to fool Touch ID.
From the Chaos Computer Club (the team responsible for the hack):
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake… “
Earlier implementations of optical fingerprint readers could even sometimes be fooled by silly putty, so I had very high hopes that Apple’s implementation would solve this problem. The dream of not having to enter complex alpha-numeric passwords on an unforgiving touchscreen isn’t quite realized yet.
Now the process for spoofing your print still requires a little work, making sure you can take a high resolution picture of the print, printing it out, and transferring it to a glue or latex membrane. You have to judge for yourself if the information on your phone is valuable enough for someone to go through this process to try and obtain it. Also, to be fair to Apple, it does require more work to crack than Google’s “Face Unlock” from the front facing cameras on Android handsets.
Unfortunately this will likely strike a blow to corporate and government use, as while it’s still one of the best implementations of biometric security we’ve seen on a mobile device, it’s still entirely defeat-able.
A video demonstrating the exploit can be seen below.
(via CCC)