Skip to main content

The iPhone 5S fingerprint sensor has been hacked – but it’s “awesome” nonetheless

Well, that didn't take long. Apple's iPhone 5S came out last week, with a new Touch ID fingerprint sensor built into the Home button. Shortly thereafter, Nick DePetrillo (@NickDe) tweeted this challenge: "I will pay the first person who successfully lifts a print off the iPhone 5S screen, reproduces it and unlocks the phone in istouchidhackedyet.com website invited others to post their own offers. Now, less than a week later, the collective reward of bucks, bitcoins and booze has been claimed.

As we reported on Monday, in a blog post at the weekend Germany's venerable Chaos Computer Club announced that their biometrics hacking team had successfully unlocked an iPhone 5S using a fake fingerprint. "A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5S secured with Touch ID," the post said. "This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided."

DePetrillo announced very specific criteria for claiming the bounty: "All I ask is a video of the process from print, lift, reproduction and successful unlock with reproduced print." While the CCC video demonstration didn't precisely match those conditions, DePetrillo accepted it as proof.

Tallying the booty

The winner of the loot, who goes by the name Starbug, plans to give it to a CCC spinoff called Raumfahrtagentur. I calculated just what Starbug would get if every participant actually came through with the promised payment. The cash total would be $8,364.01, 100 euros, and the bitcoin equivalent of another $2,779 or so (a total value of approximately £7,000). Other random offerings include seven bottles of wine and liquor, a free patent application for the technique, and a "dirty sex book."

An offer of $10,000 (£6,200) appeared briefly, but was taken down shortly before the hack news broke. A handful of those offering cash actually put the money in escrow; those amounts are guaranteed to be paid. At the very least, Starbug will get $900 (£560) and 0.661 bitcoins. Want to participate in the crowdfunded reward? You can still do so by tweeting your offer (minimum $50, £31, or 0.4 of a bitcoin) to @IsTouchIdHacked.

Confirmed by Lookout

Mark Rogers, a researcher at San Francisco-based Lookout Security, also managed to hack Touch ID and posted full details on Monday. Despite the fact that he managed to hack it, Rogers still thinks Touch ID is "awesome."

Rogers points out that hacking Touch ID is no easy matter. It "relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician" to produce a fake fingerprint. Even if you have the necessary skills, it's no simple matter.

"It is a lengthy process that takes several hours and uses over $1,000 (£620) worth of equipment including a high resolution camera and laser printer." His technique created the print on a copper-clad board, while CCC used a transparency. To actually unlock a phone, he had to stick the fake fingerprint to a damp finger.

Convenient security

So why is Touch ID still awesome? Rogers points out that at present half of all iPhone users don't even use a simple PIN, because it's not convenient. Touch ID, on the other hand, is the epitome of convenience. Pressing the Home button is something you already do; adding fingerprint authentication to the process doesn't require any extra actions.

What Rogers would really like to see is two-factor authentication – Touch ID plus a passcode, for example. He envisions a system where you'd, say, log into your bank with a fingerprint, but enter a passcode in order to actually make a transaction. I have to agree. Fingerprint authentication is flawed, four-digit PIN authentication is flawed, but put the two together and you’ve got a better security system.

Early descriptions of Touch ID made it sound like the technology would only work with a real live finger or thumb. The fact that a lifted print can fool it makes me wonder if the previous dismissals of the theory of a severed thumb working are erroneous. But I'm not sure I want to hear any details about research aimed in that direction.