Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:39 PM

Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate

Hackers say the attack demonstrates a fatal flaw of fingerprint biometrics: It's too easy to defeat

That didn't take long.

The biometrics hacking team of the Chaos Computer Club (CCC) has defeated Apple's Touch ID feature, a fingerprint reader unveiled last week as part of Apple's announcement of the iPhone 5s. The move by Apple led some security experts to express hope that its adoption could lead to increased interest in biometric technologies among consumers. But CCC researchers say it's proof that fingerprint readers should be viewed skeptically.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," says Frank Rieger, spokesman for the CCC. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

News of the hack came roughly 24 hours after the phone became publicly available Sept. 20. Essentially, CCC researchers demonstrated that an attacker with physical access to the phone could take a picture or scan the fingerprints of the device's owner and use that to create a mold of the fingerprint to launch an attack.

"First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi," the researchers note. "Then the image is converted to black and white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi."

"To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material," CCC hackers explain. "The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."

The researchers also outlined another version of the attack, but said it was less reliable.

Apple did not respond to a request for comment.

Though the CCC criticized the use of fingerprint scanners for authentication and derided them as a technology designed for "oppression and control," Paul Zimski, Lumenion Security's vice president of solution marketing, says that the hack will probably not deter end users from leveraging the technology on their devices.

"Sure, it's not highly secure, but the average end user will most likely still use and rely on the scanner," Zimski says. "Trumping usability for security is somewhat of a universal constant in the consumerized world. If anything, this is also a good case for employing two-factor authentication."

There's an illusion of fingerprints as "some science-fiction thing" that is always highly accurate, says Michael Pearce, security consultant for Neohapsis. Unfortunately, he adds, that is not the case.

"They are problematic when used on their own to authenticate," he says. "Further, because fingerprint measurements are never exactly the same, the manufacturer needs to balance an error rate for both letting people in falsely and locking them out wrongly. When most of your fingerprint measurements are going to be legitimate users every time they pick up their phone, you're more concerned with the 9,999 times it's the right user than the one time it's the wrong one, and, as a result, you will lean on the permissive side if you want your product usable."

Ultimately, noted cryptographer Bruce Schneier argues, Apple is trying to balance security with convenience.

"This is a cell phone, not an ICBM launcher or even a bank account withdrawal device," he blogs. "Apple is offering an option to replace a four-digit PIN -- something that a lot of iPhone users don't even bother with -- with a fingerprint. Despite its drawbacks, I think it's a good trade-off for a lot of people."

Still, blogs Errata Security's Robert Graham, the notion that the hack is too much trouble is "profoundly wrong."

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he blogs. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy -- you just need to try."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
Becca Lipman,
User Rank: Apprentice
9/26/2013 | 2:45:08 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
I agree that my phone is becoming something of a bank account withdrawal device, but to access those particular apps I need to type in another password. Of course, if someone is already willing to go through the trouble of duplicating my fingerprints, I doubt a alphanumeric password will stop them. But is a fingerprint an extra deterrent?

I think of this finger print scanner like The Club, the red metal lock drivers can place on their steering wheel to prevent car theft (popular in the 90's). They're actually "easy" to remove, but a would-be theft might be deterred by the extra effort.

An the end of the day, it is convenient, and I prefer to unlock my phone without hassle. For the majority of 5s users, it is just a cell phone...
User Rank: Apprentice
9/25/2013 | 4:19:14 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
"This is a cell phone, not an ICBM launcher or even a bank account withdrawal device,"

Actually with all of the banking apps available and electronic payment features now and coming in the future it might as well be a "bank account withdrawl device."
User Rank: Moderator
9/25/2013 | 12:53:40 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
The four digit pin is not going anywhere any time soon.

I think the bigger problem for consumers will be the fact that their finger will not always be available - from cuts and burns to grease and sweat - many things will render a fingerprint reader unusable when we most need it.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.