Tuesday, September 24, 2013

CCC defeats iPhone 5S' Touch ID with copy of fingerprint

Apple fanboys who laughed when Android's facial recognition device lock was defeated by a picture of the user have a little egg on their face today. On Saturday, the Chaos Computer Club claimed they could defeat Apple's new iPhone 5s-only Touch ID feature with -- and posted a video, to prove it.

Touch ID is Apple's new fingerprint recognition feature, allowing users to unlock the phone by simply applying a finger to the Home button. Here is what the CCC said:
The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates –- again –- that fingerprint biometrics is unsuitable as access control method and should be avoided.
Apple had previously said that Touch ID made the iPhone 5S made the device the most secure and easiest to unlock -- for a user, not a hacker -- ever.

However, the website IsTouchIDhackedyet.com had announced an over $16,000 bounty for the first hack of the Touch ID fingerprint sensor. Many were convinced the sensor could be hacked, though perhaps not this easily.

Notably, one might think it's not that easy to get a scan of someone's fingerprint, but as CCC points out, it's not that hard. The CCC hacker with the nickname Starbug said:
In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.
In terms of "fingerprints everywhere," anyone who watches forensic crime shows can attest to both prints -- and DNA. DNA may be the next frontier of biometrics, but we can already see that will be an issue, too.

Here is the unlock method:
First, the fingerprint of the enroled (sic) user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet.

After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
Frank Rieger, spokesperson of the CCC said he hopes this puts the idea of fingerprint biometrics to rest:
It is plain stupid to use something that you can´t change [most corporate IT departments will require a user change their password regularly, which -- naturally -- can't be done with fingerprints] and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims.

Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

No comments: