The Truth About The Newest iPhone Fingerprint Sensor Hack, And Why You Shouldn't Worry

A group of hackers claim to have defeated Apple's new iPhone fingerprint Touch ID sensor. Here's what you need to know: Don't panic.

Over the weekend the hacker collective Computer Chaos Club claims to have defeated the new Touch ID fingerprint sensor on the iPhone 5S. It's not a "hack" because the team has not gained digital access to the phone's fingerprint data--rather the CCC claims to have fooled the new sensor with a fake fingerprint.

How it's done:
The sensor trick is actually quite complicated, despite the CCC's claim that it's done using "easy everyday means." First, an image of a fingerprint is photographed from a glass surface at high resolution--2400 dpi. Then it is adjusted and improved using image editing software. Then a clean image of the print is printed using a laser printer, with a special setting for "thick" toner layers. This apparently creates an image on the printout that's made up of enough plastic toner that the ridges and folds in the fingerprint image are raised. Next, a positive fingerprint image is made from the printout, using a setting material like wood glue. Finally, someone breathes on the fake print, and taps it onto the iPhone 5S's sensor, which CCC claims recognizes it as a valid print.

The CCC in a blog post claims that "Apple's sensor has just a higher resolution compared to the sensors so far," and that it merely needed to up the quality of the fake print it made, using a technique that it has allegedly been used for years to defeat fingerprint sensors.

Why you shouldn't worry:
Is this bad news for you? No. Firstly, the veracity of the CCC's claim needs to be checked. Apple's fingerprint sensor simply doesn't work like many of its peers--it uses tiny radio signals to sample the living tissue beneath the external layers of the skin, rather than the outer skin layers that actually leave fingerprints on things. That the Apple sensor could confuse the signature of congealed wood glue for the electrical signals of a real finger is surprising, though admittedly not impossible. We can also theorize that Apple may be able to adjust the sensitivity of the sensor via a firmware update, which may make this attack invalid.

Even if the attack proves to be real, this isn't a casual, fast trick. The attacker would have to be lucky enough to get a perfect print of the correct finger to unlock the iPhone, which means they'd have to find that specific print, or be forced to try several fake prints. Anyone this intent on hacking your iPhone would need prolonged access to it, and would almost certainly have been able to pull off a similar defeat of a simple passcode lock or direct electronic hack to get at your phone's contents.

Lastly, don't panic! Fingerprint scanning is going to be much more secure than passcodes for the typical iPhone user. And if you do lose your iPhone, remember Apple has both the ability to find your device and to remotely erase it so thieves cannot access your personal data.

Add New Comment

9 Comments

  • Saint K

    I'm just super bothered by how unreasonably shaky this guy's hands are. Pretty sure my blood pressure rose just watching his fingers.

  • Sonder Twyful

    OK. So I'm sitting at a cafe and leave my iPhone on the table when I leave. Someone picks it up to steal it. He plays around with it and realizes that is is fingerprint-locked. Now tell me - is he REALLY going to be able to get my fingerprint (or even know WHICH finger I used)? Will he jump through all the hoops to make this fingerprint?. I doubt it. He will find another way to crack it.
    Scenario 2: I leave my cell phone at [insert location]. Thief picks it up. He notices that it is PIN-protected. How likely is it that he will try to guess my PIN? It's still difficult, but not as hard as getting a fingerprint!Why all the fear over fingerprints? I really don't understand this unreasonable phobia.

  • DCahill

    I understand what you're saying and you're right.  The point you're missing is that if you leave your phone in a public place, a thief isn't going to pick it up and put it back down on your table just because he doesn't know your pass code or can't bypass your fingerprints. All he will do is turn it off and take it home with him to completely restore it so that you can't track its location.  Point is, don't leave your phone unattended in a public place! 

  • 66replica

    Not possible in iOS7 if you have Find My iPhone on. The phone cannot be restored.

  • Renato Murakami

    Most people responding to this are just replying directly to delusional Apple fanboys... no, Apple didn't create anything magical that's impossible to hack. And you also don't have to theorize that Apple is going to release a firmware update to fix this because it doesn't matter (and I don't think they will), there will always be a way to hack stuff like that.

    The fact remains that a fingerprint reader works perfectly at what it needs to do: be a good extra safety layer, to act as deterrent, without being too intrusive.
    It's good enough most people won't try to hack it, even for the people who do try to hack it you'll have enough time to render the smartphone useless before it, and it's way more convenient than having to type a complex 10-digit password.
    And it's nothing new too. For the non-completely paranoid, fingerprint scanners have been a good extra layer of security in several devices already. My 5+ yrs old laptop had it, and it was more than enough.

  • Vegas_Ninja

    ..most of you are missing the obvious facts...

    IF there is any worry to this manner of accessing, Apple and/or 3rd parties will have an APP that will require IN ADDITION to your 1-of-10 fingerprints (...or 1-of-20 if you use your toes...) you will add a 4-digit number, dot-to-dot 'droid thing (silly, but entertaining algorithm) or longer passcode which non-touch iOS already options the user to have...

    Amazing how nay-sayers can make super-tech into nothing-tech, yet they don't even really know how it works... Oh, and as noted - the information never makes it off your iPhone... It's embedded in a secure portion of the A7 chip...

  • Forrest O.

    Yes, this hack will take more work than shoulder-surfing your unlock code. But the fact remains, this is a password that you can't change, and you leave it everywhere. 

  • Alfonso B.

    You are right, but, pro users like you can still use passwords. At the end apple is popularizing a certain level of security to the "masses" which I believe is still a MUCH better practice than having your phones with no password lock protection at all.

  • TC

    No the correct way is to increase lock screens past the simple 4 digit code.

    the connect the dot unlock allows patters in a pool of 9 dots and you can use them all.

    why is there a 4 digit code? it should never be four because people use bank pin codes (yes still at 4 and you need a card) it should be increased or have the option of adding entropy.. more numbers.

    real security? increase the code pool. alpha and numeric and 8 characters.