Share:

Apple’s Touch ID Bypassed by Fingerprint Image, Fake ‘Gelatin Finger’ [VIDEO]

Share:

Screen Shot 2013 09 22 at 12 52 22 PM

Security researchers have already put a bounty on the first people to hack Apple’s Touch ID security, but new videos have surfaced which claim to be able to bypass the fingerprint sensor using a high resolution print image and also a fake ‘gelatine finger’.

First we have the Chaos Computer Club, which has posted a video claiming how Touch ID was able to be bypassed using a 1200 dpi image of a user’s fingerprint on a thin latex sheet. Here’s how it was accomplished:

First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

Their video (with shaky fingers) below:

Next, we have Security Strategist at Fortinet, Richard Henderson, who was able to bypass Touch ID using a homemade gelatine ‘finger’, which was able to register and eventually unlock the device. He also concludes Touch ID possibly isn’t scanning subdermally based on his tests:

I have been able to successfully enroll a “fake” finger and get it to unlock the phone. This implies that the sensor isn’t scanning subdermally, but like many other sensors, is using the microscopic differences in the epidermal thickness to generate the fingerprint calculation. This is a pretty big deal, as it means the sensors used believe a gelatin finger is a real one.

Henderson also reacted to the latest Touch ID hack today by the Chaos Computer Club, saying Apple should include two-factor authentication in iOS with Touch ID, using both a scan and passcode for the ultimate security. He also says “Never underestimate the determination of the hacker community.”

For someone to hack your Touch ID security, they would need a high resolution print of your finger, which most likely would take some work. In other news, keep your eyes on the stock prices of gelatin companies.

 

Share:

  • einsteinbqat

    Unlocking his own phone with his own finger…

  • Jim

    Attach that fake finger (in both cases above) to a wooden stick and I’ll believe it. Do they not realize it does not scan the surface finger print?

  • Supacon

    If someone got your phone they’d still have to manage to make a high-quality fake print that worked in under 5 tries and do this within 48 hours. You still need the password if you fail authentication five times or it has been more than 48 hours since you unlocked your phone. That, and I’m doubtful about the ability of someone to make a sufficiently high-quality fake from partial prints left lying around when this proof-of-concept used a very high-resolution scanner on an actual finger.

    This doesn’t worry me at all, but it is interesting to see that it can be done, so it is less secure than Apple implied. Still… this is far more secure than a 4-digit pin. All you have to do to get that is shoulder surf someone when they enter it… Or just guess something obvious.

    I guess for ultimate security for those who are… I dunno, CIA agents or something, there should be an option to require both a password and a print.

  • Supacon

    The dude used a different finger than the one that he just enrolled. (Presumably he didn’t have that finger enrolled.)

  • Jim

    You can enlist five different fingers to do the unlock. Are you saying he didn’t scan that second finger? The video is a fake.

  • Supacon

    Umm… you can see clearly in the video (right at the beginning) that this phone starts out with no fingerprints enrolled.

  • Tyler Hojberg

    I don’t think this proves you can use a fake finger to unlock the device when an actual finger was enrolled. Nor does it prove that the scanner isn’t scanning sub epidermal layers of skin. We constantly replace skin cells that leave infractions in our fingerprints – but below the skin the print remains intact, requiring the scanner to scan below these layers to gather a proper print. If a gelatine copy of a finger is made, theoretically is would copy these imperfections, and the Touch ID may reject the print if it is unable to scan the sub-epidermal layers if they do not exist (as they wouldn’t on a fake finger). Seeing as the top layer of skin on a finger is constantly being replaced. Additionally, the video only shows a fake finger being enrolled and granted access. If you can register a real finger, copy it, and use the fake gelatine copy to gain access to the device, then I’d say there’s a minor security issue, here.

  • Magrat22

    How is this proof of someone else hacking your phone. The same person who owned the phone used a latex imprint of his own finger to open it. Surely it was reading behind the latex as has been shown in another video you can open the iPhone while wearing latex gloves! Just my thinking.

  • Chrome262

    lol if someone went to all this effort to steal my phone and hack in to it, then they can have it, because apparently then I would be some bad ass with tons of cash, or some super criminal, because no one would go through all this effort unless you were worth it.

  • D4drift

    have you ever heard of “video editing” you can shoot the first portion of the video without any fingers registered, then reguster your fingers, then shoot the second part of the video. If you believe any videos you see online today then your an………………….. u just fill in the blank.

  • TheOnlyAdvantageToLiveInQuebec

    I would leave them alone and not ask for my phone back since they would kill me if they would try that hard to get my phone lol

Deals