Apple's TouchID security system, which is intended to keep new devices like the iPhone 5s locked until a user's fingerprints are applied to the screen, can be bypassed using quotidian methods, according to biometrics hacking collective the Chaos Computer Club (CCC).
The CCC reported in a release Sunday: "A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided."
It seems an initial image of the user's fingerprint is still required, however, even if not the presence of the actual user. But, as a CCC hacker commented, this still renders the technology highly insecure, given how often we leave our fingerprints around:
"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake," said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints." CCC put out a basic how-to guide for circumventing fingerprint technology:
First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.