Can we finally admit that in-display fingerprint sensors on phones are terrible, and that no company should use them?

You pull your phone out of your pocket and casually place your thumb on the screen. You feel THAT buzz as your phone refuses entry. Without investing too much focus, you slide your thumb to re-orient, but before you properly place your thumb down again, you feel the “bad buzz”. Now, fully invested with your visual and tactile attention, you prepare for attempt number three…

Best case scenario, you get into your phone and realize the notification you received really wasn’t worth this effort. Worst case, you have to put in your pin or password, and the notification was even LESS worth this effort.

We had it so good. What happened? Continue reading “Can we finally admit that in-display fingerprint sensors on phones are terrible, and that no company should use them?”

Touch ID fingerprint security already circumvented using low tech methods

apple touch id fingerprint readerThat was fast.

So, iPhone 5S was officially released two days ago, and Touch ID has already been bypassed. It must have taken an army of L337 haxxors running server farms to crack the protection right? Well, unfortunately for us  fans of biometric security, it would seem that the same low tech methods for bypassing still work, even on Apple’s improved fingerprint sensor.

So, as long as you can gain access to someone’s fingerprint, you know those pesky traces of ourselves we leave after touching just about any surface we come in contact with, even potentially ON the fingerprint reader itself, you can spoof someone’s print well enough to fool Touch ID.

From the Chaos Computer Club (the team responsible for the hack):

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake… “

Earlier implementations of optical fingerprint readers could even sometimes be fooled by silly putty, so I had very high hopes that Apple’s implementation would solve this problem. The dream of not having to enter complex alpha-numeric passwords on an unforgiving touchscreen isn’t quite realized yet.

Now the process for spoofing your print still requires a little work, making sure you can take a high resolution picture of the print, printing it out, and transferring it to a glue or latex membrane. You have to judge for yourself if the information on your phone is valuable enough for someone to go through this process to try and obtain it. Also, to be fair to Apple, it does require more work to crack than Google’s “Face Unlock” from the front facing cameras on Android handsets.

Unfortunately this will likely strike a blow to corporate and government use, as while it’s still one of the best implementations of biometric security we’ve seen on a mobile device, it’s still entirely defeat-able.

A video demonstrating the exploit can be seen below.

(via CCC)