TouchID Hacked, But Is It Really?

Within two days of the iPhone 5s’s release, it has been hacked by a German team named Chaos Computer Club. But does it really compromise on your security? I would think not. Read on for more…

I’m not going to bother rewriting a news article on what happened. I’m here to give a commentary, to give an opinion. I assume you already know what happened, but if you don’t, I have quoted Forbes here.

For a few German hackers, breaking Apple’s much-hyped fingerprint reader seems to have been little more than a one-weekend project.

On Sunday, the Berlin-based hacker group known as the Chaos Computer Club–and more specifically a member of the group who goes by the name Starbug–announced that they’ve managed to crack the iPhone 5s’s fingerprint reader just two days after it was released.

In the YouTube video posted along with their announcement, (above) a CCC hacker demonstrates that he or she can register an index finger on the phone, and then, by covering the same hand’s middle finger with piece of latex with the spoofed index finger print, access the phone in seconds.

Here’s the group’s step-by-step description of how their spoofed fingerprint trick works:

First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.

The CCC takes the opportunity to puncture the “bogus speculation about the marvels of the new technology and how hard to defeat it is,” and writes that this process differs only slightly from a method Starbug posted nearly ten years ago. The only difference, according to Starbug, is the relatively high resolution image that Apple’s reader requires.

Since Wednesday night, hackers have been pooling together nearly $20,000 in cash pledges and donations in the cryptocurrency Bitcoin, along other items like bottles of whiskey and wine, as a reward for the first individual to successfully hack TouchID and prove it in a video. On the website, the status shifted Sunday from “No!,” to “Maybe!” Security researcher Robert David Graham, one of the creators of that bounty project, says he’s currently communicating with CCC hackers to confirm that their trick works and falls within the county’s rules–specifically that a finger from a person other than the phone’s owner rather than just a different finger from the same person can be used to break TouchID.

Starbug has uploaded another video showing that the trick also works with another person’s finger wearing the latex spoofed fingerprint:

Knowing the CCC, which has a reputation as one of the oldest and most well-respected group of hackers and security researchers in the world, this is likely a legitimate hack, and proves that the security community has been wise to caution against blindly turning off the iPhone’s passcode protections in favor of an untested security feature, and one where the biometric data needed to crack the phone–unlike a PIN–is largely unchangeable and stored on a phone’s glass surface after every touch if the user isn’t careful to wipe it away.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics,” writes CCC spokesperson Frank Rieger. “It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token.”

The fingerprint hack isn’t the first to afflict the new iPhone and its operating system, iOS 7. Over the last week, other iPhone users have demonstrated that iOS 7′s lockscreen can be bypassed with far simpler tricks, including one that offers access to the phone’s photos and all their associated sharing functions including the user’s email, Twitter, Facebook and Flickr, and another hack that allows phone calls to be made using a locked phone’s emergency call function.

Apple has promised to fix both of those bugs in upcoming software updates. The TouchID hack will no doubt be much harder to patch.

In the meantime, read the CCC’s full announcement on its TouchID hack here.

There are several things to take note here, especially in the method to hack it and gain access to the phone. Firstly, you need to be able to take a photograph with 2400 dpi resolution. To put it into context, your average scanner only scans at 300 dpi. After that, “the resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting.” Laser printed. 1200 dpi. That means you have nothing to fear from your common thief. It’s the thief who makes a living by hacking iPhones that you should be worried about, but even then, here’s why you should not be worried.

You see, even if the professional thief can theoretically hack into your phone, they have to first get your fingerprint. Either they get it from your finger (somehow, even though they need to take an ultra high resolution picture of it, AND know which finger you use to unlock your phone) or they get it from someplace you touched, and reverse engineer that fingerprint on a glossy surface, and create their fake finger.

Now you must be thinking: “But my iPhone is glossy and my fingers are always touching it!” True, but look at your phone. Do you see any clearly formed fingerprints on it? Or is everything smudged from polishing your screen, or the movement of your fingers over the surface of the phone? Because I don’t see any fingerprints on mine, and you would need a very good fingerprint to reverse engineer a fake finger from. And if you do see that your phone actually has fingerprints all over it, learn to adapt, and learn to brush off these prints habitually as you use the phone.

Or you can avoid even retraining yourself, because the iPhone 5s’s security consists not only of its fancy schmancy, newfangled, TouchID. It also has Activation Lock, described on the Apple site as such:

iOS 7 includes a new feature called Activation Lock, which makes it more difficult for anyone to use or sell your iPhone, iPad or iPod touch once it’s gone missing or has been stolen. And it starts working the moment you turn on Find My iPhone in iOS 7. Turning off Find My iPhone or erasing your device requires your Apple ID and password. And your Apple ID and password are required before anyone can reactivate it.

The moment you realise that your new iPhone 5s is missing, is the moment that you can prevent the thieves from accessing your phone, and lock them out forever. If you have an iPad, then use Find Your iPhone and remote lock the device. And remote erase it, so all your personal information is secure. Apple’s site describes Remote Erase as such:

Sometimes it’s better to be safe than sorry. If you’re worried that your device has fallen into the wrong hands, you may want to initiate a remote wipe to delete your personal data and restore your iPhone, iPad, iPod touch or Mac to its factory settings. With iOS 7, Find My iPhone can continue to display your customised message, even after your device has been erased. And if you do retrieve your device, you can restore it from your iCloud backup.

So initiate that remote wipe and display a message there. Now, only a person with your Apple ID and password can access the phone. However unlikely that is, to be extra careful, just change your Apple ID to something incredibly random, complicated and long, with capital letters and numbers interspersed between the other letters. Something like w0RmBe1Ldab3Ast5519 should be very hard to crack, for example, and you can always change it later when you have your phone back.

So unless your thief is your friend you have cleared for access to your phone through the fingerprint sensor (and if it is, get better friends), there really is nothing much you should be worried about. Your task after locking your phone out would then only consist of Finding Your iPhone, and tracking it down, or hoping that the thief would return you your phone (albeit surreptitiously).

Of course, there is one more risk, which is that the thief might, right after stealing your phone, unlock it using your own finger (a one in 10 chance of guessing which finger correctly the first time, or two in 10 if you authorized two fingers, and so on) while you are still unaware, and then run off. But even then, you can report your phone as lost using Find My iPhone, and they cannot disable Find My iPhone without your Apple ID (see the many layers of security present?).

What about if your finger is severed? Well, let us assume they get the correct finger (I can think of one easy way for a thief to determine which finger you use to unlock your phone. They would just have to ask for the time, or even better, directions, and hope you take out and unlock your phone, and note which finger is used).

According to Mashable, the iPhone 5S’s fingerprint sensor detects the sub-epidermal layers of your skin. This basically means that it won’t work unless the finger used is also attached to a living human being. So a severed finger will not work.

“The [RF capacitive sensor] technology is built in a way that the [fingerprint] image has to be taken from a live finger,” Sebastien Taveau, an expert on fingerprint technology told Mashable.

There is always the risk that they can recreate your fingerprint and print it on latex, and do as the hackers from CCC did. But by then, you’d have bigger problems to worry about. And even then there is a saving grace. Unless you are alone, there are few who would dare to do that, especially in a developed country. It is one thing to sneakily snatch someone’s belongings away, it is another to slice off a person’s finger, and run away. The thief would simply get caught by passers by.

So don’t walk alone, don’t use Apple’s Earpods, and don’t worry. Ultimately, the security system is far better than before, and far harder to crack, than previous iPhones and their operating systems, and you and your belongings should still be safer than before.

That’s all folks. What do you think about the security in the iPhone 5s? Do drop a comment down in the comments section below, and do like our Facebook page, and follow our Twitter to receive updates from us on the go, and share this story with your friends and family.

Leave a Reply