Over the weekend the hacker collective Computer Chaos Club claims to have defeated the new Touch ID fingerprint sensor on the iPhone 5S. It’s not a “hack” because the team has not gained digital access to the phone’s fingerprint data–rather the CCC claims to have fooled the new sensor with a fake fingerprint.
How it’s done:
The sensor trick is actually quite complicated, despite the CCC’s claim that it’s done using “easy everyday means.” First, an image of a fingerprint is photographed from a glass surface at high resolution–2400 dpi. Then it is adjusted and improved using image editing software. Then a clean image of the print is printed using a laser printer, with a special setting for “thick” toner layers. This apparently creates an image on the printout that’s made up of enough plastic toner that the ridges and folds in the fingerprint image are raised. Next, a positive fingerprint image is made from the printout, using a setting material like wood glue. Finally, someone breathes on the fake print, and taps it onto the iPhone 5S’s sensor, which CCC claims recognizes it as a valid print.
The CCC in a blog post claims that “Apple’s sensor has just a higher resolution compared to the sensors so far,” and that it merely needed to up the quality of the fake print it made, using a technique that it has allegedly been used for years to defeat fingerprint sensors.
Why you shouldn’t worry:
Is this bad news for you? No. Firstly, the veracity of the CCC’s claim needs to be checked. Apple’s fingerprint sensor simply doesn’t work like many of its peers–it uses tiny radio signals to sample the living tissue beneath the external layers of the skin, rather than the outer skin layers that actually leave fingerprints on things. That the Apple sensor could confuse the signature of congealed wood glue for the electrical signals of a real finger is surprising, though admittedly not impossible. We can also theorize that Apple may be able to adjust the sensitivity of the sensor via a firmware update, which may make this attack invalid.
Even if the attack proves to be real, this isn’t a casual, fast trick. The attacker would have to be lucky enough to get a perfect print of the correct finger to unlock the iPhone, which means they’d have to find that specific print, or be forced to try several fake prints. Anyone this intent on hacking your iPhone would need prolonged access to it, and would almost certainly have been able to pull off a similar defeat of a simple passcode lock or direct electronic hack to get at your phone’s contents.
Lastly, don’t panic! Fingerprint scanning is going to be much more secure than passcodes for the typical iPhone user. And if you do lose your iPhone, remember Apple has both the ability to find your device and to remotely erase it so thieves cannot access your personal data.