Researchers at the Chaos Computer Club (CCC) have claimed to have been able to break Apple’s Touch ID using a fake fingerprint of the phone user.
In a statement, CCC said that the fingerprint of the user is photographed with 2400 dpi resolution, with the resulting image cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Then, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet and once it is dry, moisture added and placed onto the sensor to unlock the phone.
The club claimed that this demonstrates that fingerprint biometrics are unsuitable as an access control method and should be avoided. The hacker who performed the critical experiments that led to the successful circumvention of the fingerprint locking, named “Starbug”, said: “In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.
“As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”
After Apple released iOS 7 last week, a website emerged which collected bounty payments of cash, bitcoins, books and alcohol for the first person to hack Touch ID. Started by independent security researchers Robert Graham and Nick DePetrillo, they put their own money up first and described the collective bounty as an “honour system”.
Asking if this revelation would stop users from using Touch ID, Sophos’ Paul Ducklin said that there’s something unappealing to many people about using biometric data such as fingerprints, DNA or retina scans for anything but the most serious matters of identification, but that this was better than no passcode at all.