Hackers say the attack demonstrates a fatal flaw of fingerprint biometrics: It's too easy to defeat

Brian Prince, Contributing Writer, Dark Reading

September 24, 2013

4 Min Read

That didn't take long.

The biometrics hacking team of the Chaos Computer Club (CCC) has defeated Apple's Touch ID feature, a fingerprint reader unveiled last week as part of Apple's announcement of the iPhone 5s. The move by Apple led some security experts to express hope that its adoption could lead to increased interest in biometric technologies among consumers. But CCC researchers say it's proof that fingerprint readers should be viewed skeptically.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," says Frank Rieger, spokesman for the CCC. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

News of the hack came roughly 24 hours after the phone became publicly available Sept. 20. Essentially, CCC researchers demonstrated that an attacker with physical access to the phone could take a picture or scan the fingerprints of the device's owner and use that to create a mold of the fingerprint to launch an attack.

"First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi," the researchers note. "Then the image is converted to black and white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi."

"To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material," CCC hackers explain. "The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."

The researchers also outlined another version of the attack, but said it was less reliable.

Apple did not respond to a request for comment.

Though the CCC criticized the use of fingerprint scanners for authentication and derided them as a technology designed for "oppression and control," Paul Zimski, Lumenion Security's vice president of solution marketing, says that the hack will probably not deter end users from leveraging the technology on their devices.

"Sure, it's not highly secure, but the average end user will most likely still use and rely on the scanner," Zimski says. "Trumping usability for security is somewhat of a universal constant in the consumerized world. If anything, this is also a good case for employing two-factor authentication."

There's an illusion of fingerprints as "some science-fiction thing" that is always highly accurate, says Michael Pearce, security consultant for Neohapsis. Unfortunately, he adds, that is not the case.

"They are problematic when used on their own to authenticate," he says. "Further, because fingerprint measurements are never exactly the same, the manufacturer needs to balance an error rate for both letting people in falsely and locking them out wrongly. When most of your fingerprint measurements are going to be legitimate users every time they pick up their phone, you're more concerned with the 9,999 times it's the right user than the one time it's the wrong one, and, as a result, you will lean on the permissive side if you want your product usable."

Ultimately, noted cryptographer Bruce Schneier argues, Apple is trying to balance security with convenience.

"This is a cell phone, not an ICBM launcher or even a bank account withdrawal device," he blogs. "Apple is offering an option to replace a four-digit PIN -- something that a lot of iPhone users don't even bother with -- with a fingerprint. Despite its drawbacks, I think it's a good trade-off for a lot of people."

Still, blogs Errata Security's Robert Graham, the notion that the hack is too much trouble is "profoundly wrong."

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he blogs. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy -- you just need to try."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Brian Prince

Contributing Writer, Dark Reading

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a news reporter for the Asbury Park Press, and reported on everything from environmental issues to politics. He has a B.A. in journalism from American University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights