The Risks of the IPhone Fingerprint Lock
Photograph by George Frey/Bloomberg
You know, the fingerprint sensor built into the Home button on the new iPhone 5s. It’s for unlocking the handset and buying stuff through iTunes and the App Store.
I thought the fingerprint was stored in some secure chip. How’d it get hacked?
It is, and this isn’t a hard-core technological hack so much as a good old-fashioned fake fingerprint technique. You find the iPhone owner’s print somewhere (the device itself may carry a few on its glossy surfaces), put some powder on it to make it more visible, then photograph or scan it at high resolution. Clean up the reversed image, print it at high resolution using thick ink, then use that to make a thin latex dummy, which you can put on your finger and use to unlock the iPhone.
I thought TouchID was supposed to be smarter than that.
Well it was, and I admit I’m a bit confused by what was revealed on the weekend.
A big selling point of the new generation of fingerprint readers, including that in the iPhone 5s, is that they don’t simply read the outer, dead layer of skin—instead, they use a radio frequency (RF) scanner to read a living layer of skin underneath. According to a Citeworld report, this assures the system that it’s dealing with a living finger, nixing both the old lift-a-print trick (see above) and the chop-off-some-poor-person’s-finger-to-unlock-their-phone trick.
But according to the Chaos Computer Club (CCC) and hacker Starbug, who claimed TouchID’s breakage on Sunday, “the marvels of the new technology” are less impressive than touted. Here’s what Starbug said in a statement:
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.”
If that’s correct—and it should be noted that Apple itself only talks about taking “a high-resolution image from small sections of your fingerprint from the subepidermal layers of your skin” in its online FAQ—then TouchID isn’t actually that good at making sure it’s dealing with a living finger. It appears that it can be fooled by, as Starbug describes, breathing on the latex sheet “to make it a tiny bit moist” before using it on the sensor.
“We’re quite surprised that it just works out of the box, the same attack that we published 10 years ago,” CCC spokesman Dirk Engling told me on Monday.
Noting that there are several ways of detecting living tissue—current flowing between the finger and device; minuscule changes in the fingerprint’s geometry to indicate a pulse—Engling suggested that Apple may have allowed the flaw when trying to balance security and ease of use. “In the end you have to shift the balance to more comfort, and that’s apparently what Apple did,” he said. “Out in the field, people would have problems unlocking their iPhones if they were to be too strict. This is a basic problem of biometrics.”
I’m waiting for Apple to comment on all this, and will add in the response as and when I get it.
Can we trust “Starbug”?
In the first of the two videos Starbug has published on YouTube, someone programs the iPhone with their index finger, then puts the latex sheet on another finger to unlock the device. In the second, a completely different person dons the sheet to fool the phone. It looks legit.
Starbug has been around for a while. Also, even though there’s a crowdfunded bug bounty out there for cracking TouchID, the CCC is Europe’s largest hacker organization and it has a reputation to uphold. I sincerely doubt anyone’s pranking the world on this one.
As an iPhone 5s user, should I be afraid?
Depends on the scenario you’ve got in your head. If it’s pickpocketing you’re worried about, then bear in mind that your iPhone is probably covered in your fingerprints. That said, making a fake print of the quality we’re talking about here is not trivial and it also takes a while, making it likely that the owner would just remotely wipe the device before anything can be accessed. So I guess it depends on the caliber of pickpocket, and their desire to do more than simply steal and sell the hardware.
If it’s muggers or overzealous law enforcement or border agents that you’re thinking about, then this “hack” doesn’t make a blind bit of difference. Merely having a biometric access mechanism makes it possible to grab your hand and use it to unlock the phone—much simpler than having to go through the tedious process of passcode extraction (or making fake prints).
The only real worry here relates to a more targeted attack, perhaps by a private investigator who’s after some juicy corporate secrets. If the victim’s fingerprint has already been lifted from somewhere—which any idiot with a degree of patience could achieve—and a corresponding latex sheet made, then a skilled pickpocket armed with that sheet could get very quick access indeed.
So for most people this won’t be a problem. And indeed, if you’re the type who forgoes passcodes because they slow you down, it’s better to use TouchID than to use no security at all. Also, it’s not like we’re talking about someone hacking into the phone’s secure A7 chip.
But do remember that, compared with passcodes, the inclusion of biometric access can in certain circumstances make it just that little bit easier for someone to get into your phone. And if that phone carries secrets that others really want to steal, you may want to bear this new risk in mind.
Also from GigaOM:
The State of Europe’s Homegrown Cloud Market (subscription required)