September 23, 2013
Security Concerns Arise Over Apple’s TouchID Fingerprint Scanner
[ Watch the Video: Apple's TouchID Fingerprint Technology Cracked ]
Michael Harper for redOrbit.com - Your Universe Online
Not long after Apple confirmed TouchID, the fingerprint scanner technology in the iPhone 5S, questions began to emerge about how the phone stores this fingerprint, where it is stored, and if storing such intimate data on a smartphone would be safe in the first place.
On the day the iPhone 5C and 5S were released, Senator Al Franken issued a letter to Apple CEO Tim Cook asking him to address his concerns over TouchID. While Sen. Franken asked Cook if third-parties could ever access fingerprint data, hackers set about trying to break TouchID and bypass the system when the primary user wasn’t around.
A hacking group from Germany called the Chaos Computer Club (CCC) devised a way to break into an iPhone 5S by creating a false finger just days after the phone became available to the public. The process is quite complex, but the idea behind it is straightforward, if not elementary. With Apple’s new “groundbreaking” technology allegedly broken, some have become worried that their devices aren’t any safer than previous iPhone versions.
The method used by the CCC can’t be pulled off in a moment, neither can it be executed unless someone has physical access to the phone. In short, the best way to protect oneself from this attack is to keep the phone nearby at all times and remove fingerprints on glass surfaces often.
According to a blog post, the CCC has been warning against fingerprint technology for many years and has used the 5S as a way to prove its point.
“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided,” reads a CCC blog post.
"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” said a CCC hacker who operates under the name “Starbug.”
The group first took a picture of the fingerprint at 2400 dpi resolution. They then cleaned up the image, removed any noise and extra material, then inverted the image. This image was then printed at 1200 dpi on a transparent sheet with a thick toner setting. The hackers then made a mold with pink latex from this print and, once removed, were able to unlock the iPhone 5S with the dummy fingerprint.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token,” explained Frank Rieger, a spokesperson for the CCC.
Though this hack has been found technically possible, it is in reality not entirely probable. As mentioned before, a hacker would first have to lift the iPhone from its owner and hope there were ample and clear fingerprints on the screen or find fingerprints from another glass surface. The would-be hackers would also have to work quickly enough to build a false fingerprint before the user realized his/her phone was missing and locked it with Apple’s new Find My iPhone feature, which allows users to remotely lock or erase their devices if stolen.
Senator Al Franken is more concerned with how this data could be used, however some of his concerns can be addressed by a FAQ page posted by Apple shortly after the 5S was unveiled.
While a hacked fingerprint could be an incredibly dangerous weapon used against a person, Apple claims this isometric signature is stored on one small portion of the 5S’ chip and cannot be accessed by anyone or anything else.