iPhone 5s Fingerprint Security Bypassed by German Computer Club [VIDEO]
The fingerprint reader of Apple's new iPhone 5s smartphone has already been fooled and unlocked using a latex fingerprint, a group of German computers hackers claims.
Using what the Chaos Computer Club (CCC) calls "everyday means" the scanner - called Touch ID by Apple - was bypassed just two days after the iPhone 5s went on sale; although the group was able to fool the system with an artificial print, it was unable to extract the fingerprint data saved in a secure partition of the phone's processor.
A hacker nicknamed Starbug said on the club's website that Apple's Touch ID sensor is the same as other fingerprint readers, apart from scanning at a higher resolution. "Se we only needed to ramp up the resolution of our fake," the hacker said.
"As we have said now for more than years [sic], fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
To gain access to the locked phone, the club first took a photograph of a fingerprint recognised by the phone - the print could be found on a glass, doorknob or even on the screen of the phone itself.
The image is then cleaned up with photo editing software, inverted and printed onto the transparent sheets used by overhead projectors at a resolution of 1,200 dots per inch (dpi).
Next, white wood glue or pink latex milk is smeared into the pattern created by the printer on the transparent sheet - once it dries, the resulting latex is lifted from the sheet, breathed on to be made slightly moist, then placed onto the phone's sensor to unlock it.
Plain stupid
CCC spokesman Frank Rieger said: "We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token.
"The public should no longer be fooled by the biometrics industry with fake security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday devices."
Commenting on the successful hack, security expert Graham Cluley wrote: "It's worth remembering that fingerprints are not secrets. You literally leave them lying around everywhere you go, and they could be picked up by others.
"Relying on your fingerprints to secure a device is okay for casual security - but you shouldn't depend upon it if you have sensitive data you wish to protect."
Touch ID can be taught to recognise up to five fingerprints and, in Apple's defence, the system suggests entering a passcode after three failed attempts with a finger, and after two further failed attempts the phone will demand the correct passcode be entered.
In addition, a passcode must be entered after restarting the device, and when more than 48 hours have elapsed since the phone was last unlocked, giving a potential hacker two days to create a fake fingerprint before the phone requires a passcode.
Third strike
The fingerprint hack is the third security failing for the new iPhone 5s and Apple's iOS 7 operating system, which is also available on the new iPhone 5c and older models of iPhone and iPad.
Within days of the software being released to the public - and following three months of testing and improvements with the help of app developers - a flaw was found in iOS 7's new Control Center, whereby a locked phone could give a thief quick and easy access to its camera, email and any social networks apps capable of sharing photos taken on the phone.
A second flaw was discovered soon after, this time revealing that the emergency dialer on iOS 7, intended for making emergency calls when the phone is locked and protected by a passcode or fingerprint, can be used to call any number.
© Copyright IBTimes 2024. All rights reserved.