What Does the Touch ID Hack Mean for the Average Consumer?


In case you were wondering whether the Touch ID can be hacked: yes, it can be hacked and the guys from the Chaos Computer Club have done it, in just a couple days after the handset was launched. The hack it is legit, it was confirmed by multiple sources, even Marc Rogers. Does this mean the Touch ID is just a marketing fluff? No, it is still an awesome security feature of the iPhone 5s, and Marc Rogers explains why.

Well, thanks to a great incentive coming from IsTouchIDHackedYet.com, the iPhone 5s’ security feature, Touch ID was hacked in just 48 hours after the handset hit the stores. But does this mean it is flawed and should be avoided? The truth is, this isn’t just black and white: the flaw is there, so Touch ID may not fully act as the ultimate security feature, but this isn’t something the average consumer should start worry about, because exploiting the flaw isn’t that simple as you may think.

Rogers points to the list of necessary tools to successfully hack the Touch ID and the bill of materials goes beyond the value of a 64Gb iPhone 5s. But this isn’t all: you need some skills as well.

Here is how Rogers summarizes the current state of Touch ID:

TouchID is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.

In other words, Touch ID isn’t THE best security feature, but considering that a many iPhone users don’t use a passcode at all to protect the content of their handset — a timely question, as we have more sensitive data on our smartphones than ever before — it is better than having no passcode at all.

And as John Gruber of Daring Fireball notes regarding the passcode: “it seems far easier for me to spy on someone entering their PIN than it would be to capture a high-resolution fingerprint (from their correct finger) and reproduce it in a way that works to fool Touch ID.”

So what do you choose: passcode or Touch ID?