Security researchers have already put a bounty on the first people to hack Apple’s Touch ID security, but new videos have surfaced which claim to be able to bypass the fingerprint sensor using a high resolution print image and also a fake ‘gelatine finger’.
First we have the Chaos Computer Club, which has posted a video claiming how Touch ID was able to be bypassed using a 1200 dpi image of a user’s fingerprint on a thin latex sheet. Here’s how it was accomplished:
First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
Their video (with shaky fingers) below:
Next, we have Security Strategist at Fortinet, Richard Henderson, who was able to bypass Touch ID using a homemade gelatine ‘finger’, which was able to register and eventually unlock the device. He also concludes Touch ID possibly isn’t scanning subdermally based on his tests:
I have been able to successfully enroll a “fake” finger and get it to unlock the phone. This implies that the sensor isn’t scanning subdermally, but like many other sensors, is using the microscopic differences in the epidermal thickness to generate the fingerprint calculation. This is a pretty big deal, as it means the sensors used believe a gelatin finger is a real one.
Henderson also reacted to the latest Touch ID hack today by the Chaos Computer Club, saying Apple should include two-factor authentication in iOS with Touch ID, using both a scan and passcode for the ultimate security. He also says “Never underestimate the determination of the hacker community.”
For someone to hack your Touch ID security, they would need a high resolution print of your finger, which most likely would take some work. In other news, keep your eyes on the stock prices of gelatin companies.
