Along with the new iOS and iDevices comes new fingerprint-scanner security technology – Touch ID. This technology aims to replace the lock screen password by providing a fingerprint scanner integrated into the Home button. However, no matter how Apple tried to keep their users safe, it seems that it only takes one dedicated hacker group to debunk the “super secure” scanner.
So far, the only device that has the ability to run this innovation is the iPhone 5S, and according to Apple:
Your fingerprint can also approve purchases from iTunes Store, the App Store and the iBooks Store, so you don’t have to enter your password
Hackers work fast with incentive
Two days before the S was released, IsTouchIDHackedYet.com reported that they have finally found the glitch in Apple’s fingerprint scanner. The Germany-based hacker group Chaos Computer Club were the first person or group to successfully bypass Touch ID and provide video evidence, only just 24 hours after the release of the 5S.
In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” said Starbug, a member of the hacker group.
The group accomplished this with a photograph from a glass surface. In their video, a scanner is first set to 2,400 dpi resolution. The image is then further cleaned using imaging software, converted to black and white, and then inverted. After, it is laser printed using thick toner setting and 1,200 dpi resolution onto a transparent sheet. Then it is exposed to photo-sensitive printed circuit board (PCB) material. Once the print is transferred, the PCB material is developed, etched, and cleaned further. A thin coat of graphite is sprayed to guarantee a capacitive response from the sensor. Finally, a thin film of white wood glue is applied to the mold. When it dries, then you have a fake fingerprint that can bypass Apple’s Touch ID.
Significance of a hacked security sensor
Although Apple’s much-touted security feature was successfully attacked in a short amount of time, it does not necessarily render it useless. The process outlined by the European hacker group is impractical for the everyday iPhone thief. In the hands of the inexperienced, the intricate process could fail at any step. Not to mention that some components like photo-sensitive PCB material are not readily available. The odds of an iPhone thief owning all the materials needed and having the expertise to perform the actual hack are very low. Aside from that, obtaining an actual usable print from a victim is a feat in itself. It would be easy for a forensic scientist; the average thief, probably not.
Second layer of Apple security
Unbeknownst to most Apple users, there is also a software security feature hidden in the many changes brought by iOS 7. Dubbed “Activation Lock”, the setting will brick the phone when it is remotely wiped by the owner or reactivated by its new “owner.” It is toggled by going into Settings > iCloud > and activating “Find My Phone”. Once on, the phone can then only be unlocked by the owner’s Apple ID and password. The setting can also be only turned off with the same security credentials. So it’s important to set up an Apple ID and to store the delicate information safely.
Other 5S owners have tested different parts of the body to see if they would be detected by Touch ID. One used his dog’s paw print. Not only did it successfully detect the paw, only that specific paw could unlock the phone. Another tested his nipple and got similar results.
In spite of the hack, the Touch ID still does its job of etching a distinct biological print into the phone’s system. Only in extreme situations can that function be forced to fail. Thankfully, those situations are rare and with enough awareness, an iPhone 5S should be safe to own.