Apple’s Touch ID may be the new thing when it comes to signing on to your iPhone. But the underlying finger print scanning technology proved vulnerable to a very old-school attack, according to information posted by the German hacking crew The Chaos Computer Club (CCC).
The group announced late Saturday that it was able to successfully bypass TouchID with a fake fingerprint, lifted from a glass surface. “This demonstrates – again – that fingerprint biometrics is unsuitable as access control method (sp) and should be avoided,” the group wrote in blog post announcing the compromise.
Apple’s Touch ID biometric sign-on was the major new feature in the just-released iPhone 5S (the feature is not offered for the lower-cost 5C, which was also just announced.) The feature makes use of technology Apple acquired in July 2012 with the firm AuthenTec, and its addition to the iPhone line was no surprise. But Cupertino has been silent on what distinguishes Touch ID from previous generations of finger scanning biometric products, which have proven to be easily fooled.
The answer to that question is now known, and its “not much,” according to the Chaos Computer Club.
“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, CCC wrote, quoting a hacker with the nickname Starbug, who carried out the attack. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
The hack that apparently felled the TouchID scanner has been well-documented by others, and requires would-be attackers to capture a print from some passive medium, such as a glass, a piece of tape or something else. That print can then be transferred directly to some pliable material like rubber cement or gelatin. In the case of the Touch ID hack, the attackers photographed the lifted print, then printed it onto a transparent sheet (of the kind used on old-school overhead projectors). The toner on the transparency acted as a relief that was used to create a cast of the print out of wood glue or latex.
“After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the (iPhone 5s).”
The process used has been known for years. In one of the most oft-cited demonstrations of this method, researchers at Japan’s Yokohama University copied and then fabricated fingerprints out of a variety of materials, including the digestible gelatin used to make Gummi Bears and other candies.
The publication of the hack by Chaos Computer Club was noted on istouchidhackedyet.com, a crowd-funded project dedicated to breaking Apple’s finger scanner. That project was launched last week and raised thousands of dollars as a bounty paid to the first individual or group who could document a hack.
Security experts have warned against putting too much faith in finger scanning technology. Bruce Schneier, the noted security and cryptography expert, used his blog to not that fingerprints aren’t exactly a secret (“you leave them everywhere”) and that previous generations of fingerprint readers have proven to be susceptible to hacks. They’re also prone to false-negatives, especially given the natural variations in skin plasticity during the day (dry weather, humid weather, exposure to water). That susceptibility varies with the kind of technology used and its sensitivity. But vendors (including Apple) walk a fine line between security and usability. The more sensitive the reader is, the more “false negatives” it is likely to assign to legitimate users. To compensate, Schneier says, Apple may have erred on the side of “false positives” to avoid shutting legitimate users out of their phone – opening the technology to the possibility of approving invalid logins.
Fingerprint scanners have that “cool factor” and are simple for the user but truly they shouldn’t be relied on for serious security. Nor should any SINGLE factor be relied on for all or nothing access as we have seen for years the vulnerability of static passwords. The next big thing in strong auth will be “infinite factor” which employs multiple risk-based (contextual) factors with multiple physical (bio) and knowledge based (I.e. pin or password) factors. Increase the cost to break as the whole becomes greater than the sum of its parts…