Hackers from the
venerable Chaos Computer Club in Germany have found a method for bypassing the
new iPhone 5S Touch ID fingerprint security mechanism. The method, which is the
first known technique for circumventing the iPhone’s newest security feature, involves
taking a picture
of a user’s fingerprint and then creating a latex copy of it to
unlock the phone.
Since the TouchID
mechanism was unveiled earlier this month, security researchers have been
looking for ways to get around it. The CCC appears to have won the race, using
a combination of a high-resolution picture and a latex mold of the user’s
fingerprint in order to bypass the Touch ID security feature.
“First,
the fingerprint of the enrolled user is photographed with 2400 dpi resolution.
The resulting image is then cleaned up, inverted and laser printed with 1200
dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk
or white woodglue is smeared into the pattern created by the toner onto the
transparent sheet. After it cures, the thin latex sheet is lifted from the
sheet, breathed on to make it a tiny bit moist and then placed onto the sensor
to unlock the phone.
This process has been used with minor refinements and variations against the
vast majority of fingerprint sensors on the market,” the CCC said in a
statement.
The group, which has been active in
security circles for decades, also posted a video demonstrating the technique. They said they
were motivated to defeat the Touch ID in order to show that fingerprint
biometrics don’t work.
“We hope that this finally puts to rest
the illusions people have about fingerprint biometrics. It is plain stupid to use
something that you can´t change and that you leave everywhere every day as a
security token”, said Frank Rieger, a spokesperson for the CCC. “The public
should no longer be
fooled by the biometrics industry with false security claims. Biometrics is
fundamentally a technology designed for oppression and control, not for
securing everyday device access.” Fingerprint biometrics in passports has been
introduced in many countries despite the fact that by this global roll-out no
security gain can be shown.
Last week, a group of security
researchers put together an informal effort to raise money for a bounty to reward whoever was first to
hack Touch ID. Starbug, the CCC member who pulled off the Touch ID hack, will
get that bounty, which amounts to nearly $10,000 as well as some other prizes, such as
Bitcoins, wine and books.
No comments:
Post a Comment