A new online video released by the famed German hacking group Chaos Computer Club appears to demonstrate an end-run around the Apple fingerprint-scanning lock. The good news is attackers don’t need your thumb for the hack. The bad news is they just need a photo of it and some easily accessible household supplies.
Some important context, first: Using Apple’s new fingerprint scanner is still much, much more secure than not using any password on your phone, and even, in most cases, much more secure than using a 4-digit PIN.
It’s a great deterrent for casual and opportunistic attacks, and for users who used no password or a weak password, the convenience of TouchID, which the new iPhone 5s sports, is a big security win, as many folks have pointed out:
But just like any other security mechanism, it’s not perfect.
Here’s a video of an individual with CCC demonstrating the hack, with a “cloned” fingerprint standing by and the attacker switching from their index for the recognition scan and the middle finger plus the fake fingerprint for the final scan:
In a blog post on their site, the decades-old collective detailed the attack:
“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID ...
“The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.”
The demonstration comes as a campaign to publicly demonstrate the new feature’s weakness
picked up steam with an almost $20,000 bounty (plus “alcohol and sundries”).
So what should you do? If you’re not using any password and have an iPhone 5s, shame on you: If you connect it with your email account, you are almost guaranteed to have enough sensitive information on there to let someone who happens on to your phone to cause you a lot of harm.
If you’ve got particularly sensitive information (launch codes, NSA secrets, medical data for thousands of people), skip both the fingerprint scanner and the 4-digit PIN for a longer password that you update regularly.
You don’t want to end up looking like this guy:
I’ve reached out to Apple for comment.