Using a desktop scanner, a light-sensitive printed circuit board and white wood glue, a group of researchers from the Chaos Computer Club in Germany broke the security of Apple’s TouchID fingerprint sensor, creating a fake fingerprint to unlock Apple’s latest smartphone, the iPhone 5S.
The hack, announced on Sept. 21, came less than 48 hours after members of the security community started a Twitter-fueled project to collect money for a bounty to pay any researchers who successfully broke the biometric security of Apple’s device. The CCC used a desktop scanner to capture an image of the phone and print that image on to a photo-sensitive PCB to form a mold. Then, using graphite spray and wood glue, a mold of the fingerprint was created.
The relative ease with which the security can be broken means that iPhone users should be wary of relying too much on the security of the device, the CCC said in its statement.
“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5S secured with TouchID,” Frank Rieger, spokesperson of the CCC, said in the statement. “This demonstrates—again—that fingerprint biometrics is unsuitable as access control method and should be avoided.”
Apple announced the TouchID fingerprint sensor earlier this month as a security enhancement that would help more people lock their phones more securely than with a 4-digit pass code. The sensor, built into the home button of the iPhone 5, does not optically read a person’s fingerprint, but uses a capacitive measurement that “in essence, takes a high-resolution image of your fingerprint from the sub-epidermal layers of your skin,” Apple stated on its site.
However, the security of biometric devices—especially one with glass surfaces that collect its user’s fingerprints—has been widely criticized by experts.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors (we’ve seen) so far,” a hacker using the handle “Starbug” said in the CCC’s statement. “As we have said now for (at least six) years, fingerprints should not be used to secure anything. You leave them everywhere and it is far too easy to make fake fingers out of lifted prints.”
The security of the sensor was heavily debated on Twitter, with some security researchers assuming that Apple had made the sensor more difficult to trick then previous optical sensors. Security professionals Nick Depetrillo and Robert Graham started the site, IsTouchIDHackedYet.com, to collect donations to the prize pool for any researchers who successfully bypassed the security of the device by copying a fingerprint.
In essence, Depetrillo and Graham were telling other researchers who doubted the security to put the efforts into actually hacking the device. Turns out, it was not so difficult after all, Graham said in a blog post.
“We claimed it’d be harder,” he wrote. “We assumed that a higher resolution sensor wouldn’t be so simply defeated with just a higher resolution camera. We bet money. We lost.”
The IsTouchIDHackedYet bounty surpassed $10,000 in cash, bitcoins, alcohol and other goods pledged by security researchers and other community members. While it had reached $20,000, student Arturas Rosenbacher, who also claims to be a micro investor and entrepreneur, added additional restrictions on his pledge when it became obvious that someone had actually succeeded in breaking the TouchID security. While the original contest asked for a researcher to fool the sensor using a print “lifted from a beer mug” or similar circumstances, Rosenbacher’s changes require that the biometric data be taken from the device itself.
“The fingerprint must be obtained using software and hardware, in sense a technological solution, rather than lifting prints and accessing a secure phone using said ‘lifted prints’,” according to the after-the-fact changes. Rosenbacher did not respond to an e-mailed request for comment.