Apple TouchID hacked

Researchers say fingerprint biometrics is not secure, and should not be used as an access control.

---

Apple's TouchID biometric security has been successfully bypassed by a team from the Chaos Computer Club (CCC) in Germany.

The team photographed a phone user's fingerprint from a glass surface, creating a fake finger that unlocked the device. The hackers say this shows "once again" that fingerprint biometrics is not secure, and should not be used as an access control.

The fingerprint sensor, unveiled a matter of weeks ago, was touted by Apple as being significantly more secure than previous fingerprint technology.

However, the CCC asserts it is rather a case of Apple's sensor having a higher resolution compared to the sensors so far, and the hackers needed only to 'ramp up' the resolution of the fake to successfully bypass the control.

In a statement on the CCC Web site, Starbug - the hacker responsible for circumventing TouchID - said: "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

The hack follows an impromptu competition set up by security researchers Don Bailey and Nick DePetrillo, which started off as a tweet, offering $100 to the first person to successfully breach TouchID. Several other security practitioners jumped on the bandwagon, raising the stakes to more than $14 000 on a Web site dedicated to the competition.

CCC hackers say the materials used in the hack can be found in practically every household. A fingerprint of the enrolled user is photographed in 2 400 dpi resolution, which is then cleaned up, inverted and laser printed at 1 200 dpi onto a transparency, with a thick toner setting.

The last stage sees pink latex milk or wood glue added to the pattern created by the toner. Once set, the thin latex sheet is lifted from the sheet, breathed on to dampen it, and then placed onto the sensor. "This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market," says Starbug.

CCC spokesperson Frank Rieger says the organisation hopes this "finally puts to rest the illusions people have about fingerprint biometrics".

He says it is utter stupidity to use something that cannot be changed, and that is left all over the place as a course of everyday life, as a security control.

"The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.