"Did you say that some German hackers cracked our iPhone 5S fingerprint reader?"
Just a few days after Apple unveiled its new iPhone with a fingerprint ID scanner, German researchers say they’ve cracked the scanner using a fake rubber print.
The researchers, with the Chaos Computer Club, posted a video on their website showing members of the group’s biometric team defeating Apple’s Touch ID with a fabricated fingerprint created from a photo of a print.
They photographed the print from a glass surface, laser-printed the fingerprint image on a transparency sheet, then smeared it with latex. A similar method was used in 2002 by researchers in Japan to demonstrate the security weaknesses of fingerprint scanners using a gel fingerprint.
Frank Rieger, spokesperson for the CCC, said on the group’s website.
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token.”
“The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
They explained their process here:
The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2,400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1,200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
Apple added the Touch ID technology to its iPhone 5S in order to allow users to authenticate themselves to their phones to unlock the devices and to make purchases through iTunes by placing their finger on the device’s home button. A laser-cut sapphire crystal and a stainless steel detection ring are the top layers of the home button.
Apple said during its unveiling of the technology last week that the system scans the sub-epidermal layers of the finger to take the reading.
It’s hard to square Apple’s statement with the German researchers demonstration, which showed that a mere photo of a latent print from the skin’s top layer was sufficient to trick the technology.
COMMENTARY: Whether you are a German hacker from the Chaos Computer Club or professional hacker you will need the fingerprint of the original owner of the iPhone 5S in order to crack it and get into that phone. Furthermore, you don't know if the owner used a thumb print, whether it was the right thumb or left thumb, or if they used the fingerprint from another finger. Sure, you could lift a finger print from the glass display of the phone, but you still don't know which finger to use. In any regard, it is still going to be considerable work to get ahold of the correct fingerprint, so you can create a duplicate latex imprint.
An even more interesting question is: Didn't those smart Apple iPhone engineers forsee hackers lifting a fingerprint and creating a latex duplicate fingerprint imprint to crack the fingerprint reader? You would've thought that they would've tried the various methods of cracking a fingerprint and built security preventive measures. Perhaps a fingerprint plus a secret password or pincode.
Next is the iPhone with retina eye scanning a la CIA.
Courtesy of an article dated September 23, 2013 appearing in Wired
Comments