The second Apple officially unveiled its TouchID system for the iPhone 5S — the system by which the iPhone uses their fingerprint as security authorisation — it seems as if the tech community at-large was already pondering ways to break it, when it might be broken, and what could happen when it is out-foxed-.
If the latest report from the oddly named Chaos Computer Club pans out, however, it appears as if these questions might receive answers sooner than expected, as TouchID has allegedly suffered its first vulnerability.
According to an update posted yesterday, the group — Europe's "largest association of hackers," as it describes itself — has allegedly managed to bypass TouchID using a method that conjures up images of one's favorite spy movie. In this case, the hackers simply took a photograph of a user's fingerprint that was left on a glass surface, created a latex recreation of said fingerprint, and held it against said user's iPhone 5S to authenticate their way into the device.
Easy enough, right?
"First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet," reads the Chaos Computer Club's post.
"After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market."
If the process seems a little unbelievable, the group has also posted a video showing off their exploit in action — just the authentication bit, not the entire picture-taking, mold-making, fake-finger-generating part of it all.
As The Verge's T.C. Sottek notes, the exploit does require a bit of work to come to fruition. And it's not as if fingerprint-based authorisation was meant to be flawless; much like looking over a person's shoulder when they type in a PIN number, explains Sottek, smartphone users will always face certain risks regardless of the authentication system used.
Now, were the hackers somehow able to create a fingerprint based on the mathematical representation TouchID creates when "storing" one's digit, that might raise a few more eyebrows.