Apple iPhone 5S’s fingerprint sensor is not secure, a hacker group has said, and users should not trust the sensor to provide security. However, some security experts were quick to counter a number of the group’s assertions, such as the suggestion that “biometrics is fundamentally a technology designed for oppression and control”.
[Updated after initial publication with fresh commentary from Stephen Cobb, ESET security researcher.]
Germany’s Chaos Computer Club released a video showing how a “fake fingerprint” made from latex could be used to fool the sensor, allowing any attacker access to the handset. The group said that it hoped their demonstration video, “put to rest the illusions people have about fingerprint biometrics,” and that users should avoid storing sensitive information on iPhone 5S.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” the group said. The “key” to defeating Apple’s new technology uses a hi-res image which matches the resolution of Apple’s scanner, and allows the creation of a “fake” latex print to fool the sensor. Chaos Computer Club‘s method, does, however require access both to an iPhone 5S, and to a “fresh” fingerprint of the intended victim, for example, “lifting” a fingerprint from a home (Chaos suggest a doorknob or a glass surface such as “glasses, doorknobs, or glossy paper” and says that their attack relies on “well-tested forensic methods”).
However, Stephen Cobb, a security researcher with ESET, warns consumers and businesses to put this hack in context: “Bear in mind the effort required to defeat the biometric, and also to crack your iPhone password, then ask yourself how many people want your iPhone data that badly.” Cobb adds:
There is a constant tension between claims of security and efforts to undermine that security. It is clearly true that having to supply a fingerprint as well as a password to access the iPhone 5S, or anything else, makes the data on the device more secure against certain types of attack than only requiring one form of authentication. Whether that added level of security is enough for your to trust “sensitive” information to your iPhone is a question for each user to answer. Would I put priceless IP on a mobile phone? No. But read what it takes to beat the fingerprint reader and ask yourself who would go to that trouble for the stuff you do have on your phone.
Chaos shows off their method in a video, saying, “The goal is to get an exact image of the fingerprint, for further use as mold, out of which the dummy is made. The easiest way is to print the image on a transparency slide (the ones normally used for an overhead projector) with a laser printer. The toner forms a relief, which is later used similar to letter press printing. Wood glue is suitable for producing the dummy,” the hackers write. The “fake fingerprint” is then cut to size, and attached to a fingertip.
This type of hack is nothing new for Chaos which has long maintained that “fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints…Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
According to Cobb: “Some security researchers would beg to differ.”
Author Rob Waugh, We Live Security