German hacker group the Chaos Computer Club claims to have hacked Apple’s Touch ID fingerprint scanner using “easy everyday means”.
It was only a matter of time before someone claimed to have defeated Apple’s Touch ID fingerprint scanner — and German hacker group the Chaos Computer Club (CCC) is the first to step up, with what it is somewhat amusingly calling “easy everyday means”.
First, the biometrics hacking team photographed the registered user’s fingerprint from glass, using this nine-year-old tutorial, in a high 2400 dpi resolution. That is the easiest part.
The rest of the process is as follows:
The resulting image is then cleaned up, inverted and laser printed with 1200 dpi on to transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner on to the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed on to the sensor to unlock the phone.
This is hardly a real-world, practical way for someone who has found your iPhone on the street to get access to your text messages and cat photos, and it is important to note that Touch ID is not the be all and end all of security. Rather, it’s a layer of super-convenient protection for iPhone users who previously had none.
For reference, the Touch ID scanner uses two methods to identify a user’s fingerprint: a capacitive sensor that is activated by the small electrical current that runs through your skin, used by most smartphone touchscreens (and, one would think, at least partially blocked by a layer of non-conductive latex or glue), and a radio frequency sensor that reads the sub-epidermal layers of skin.
CCC’s point was not about Touch ID itself, but rather that fingerprints are a poor form of security overall. “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token,” CCC spokesperson Frank Rieger said. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”
The group created a video of the unlocking process, using the technique that does leave us dubious. The latex fingerprint is laid over a different finger on the registered user; we would have been more convinced if the team had been able to demonstrate the process with a user whose fingerprint is not registered on the device.