Hackers claim to bypass Apple's Touch ID sensor with 'fake finger' technique


The Chaos Computer Club hacker group claims it has already bypassed Apple's (NASDAQ:AAPL) new Touch ID capacitive sensor just days after the security feature reached retail via the computing giant's new iPhone 5s.

According to a comprehensive walkthrough detailed by Chaos Computer Club's biometrics hacking team, the Touch ID bypass leverages a fingerprint of the iPhone 5s user photographed from a glass surface. The "fake finger"--photographed with 2400 dpi resolution, then cleaned up, inverted and laser printed with 1200 dpi onto a transparent sheet with a thick toner setting and mixed with pink latex milk or white woodglue--is lightly moistened by human breath, then placed onto the sensor to unlock the phone. The same basic process has been used to crack the vast majority of fingerprint sensors on the market, Chaos Computer Club said.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake," added hacker Starbug, whose experiments led to the fingerprint locking hack. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints." Chaos Computer Club demonstrated the Touch ID hack in a short video posted to YouTube.

Apple unveiled Touch ID earlier this month at a launch event for the iPhone 5s and its low-cost counterpart, the iPhone 5c. Touch ID is embedded in the iPhone 5s home button and unlocks the device by scanning the user's fingerprint, supporting a more efficient login process than conventional passcodes, Apple explained. "This is something you do dozens of times a day, to unlock and get access to your phone. Unfortunately, some people find that's too cumbersome and they don't set it up," Apple Senior Vice President of Worldwide Marketing Phil Schiller said at the iPhone 5s launch event, noting that roughly half of iOS users do not have a passcode in place.

Touch ID is built on technology Apple absorbed when it acquired digital security firm AuthenTec for $356 million in mid-2012. The sensor's emphasis on device security should help Apple push the iPhone further into the enterprise sector while enabling banks and financial services providers to accelerate their mobile rollouts. Touch ID also supports purchases across Apple's iTunes digital storefront, which suggests the technology could play a significant role in any mobile payment services the company wishes to roll out.  

Apple has not responded to requests for comment on the Touch ID hack.

For more:
- read this Chaos Computer Club blog post
- read this AppleInsider article

Related articles:
iPhone 5s Touch ID fingerprint sensor points to Apple's mobile payments future
Apple pledges fix for iOS 7 lockscreen security vulnerability
Apple to release iOS 7 on Sept. 18
Report: Apple to debut next iPhone on Sept. 10
Apple's iOS 7 beta 4 hints at biometric fingerprint scanning
Apple CEO Cook: New iOS 7 is the 'biggest change to iOS since the iPhone'