Skip to main content

iPhone 6 security scare: fake fingerprint tricks Touch ID

Apple's recently released iPhone 6 is susceptible to the same fingerprint forging attack as the iPhone 5S, according to the latest security research.

Mark Rogers, principle security researcher for mobile security firm Lookout, used techniques costing less than £600 and which are well-known to police officials and prototypers to access the device.

Read more: A good password isn't enough: Why you should use two-factor authentication (opens in new tab)

The process involves lifting latent prints from the iPhone before creating a mould using a custom circuit-board kit. Then using glue, sometimes mixed with glycerol, Rogers was able to create a replica print that allowed him to trick the Touch ID sensor.

However, his experiments did suggest that Apple had improved the sensor, as it rejected fewer legitimate prints and slightly more fake ones than the iPhone 5S version, with Rogers suggesting that it wasn't easy to trick the iPhone 6's security systems.

"The process with both of them is exactly the same," he said. "I would not call it a walk in the park, because it took me roughly eight hours to do. Yet someone who is not doing this for research could probably complete the process in two or three hours."

The security flaw highlights the major weakness of Touch ID, namely that the information required to access the phone, the user's fingerprints, are left all over the device. With that being said, the fact that Apple limits the number of attempts to five means that that the feature is relatively secure.

"I was aided by the fact that I had unlimited attempts, and it took quite a few attempts to get any usable print," Rogers said. "It is not something that I would expect a street criminal to use."

However, with the company set to push its own payment service, Apple Pay, stealing an iPhone may become a far more lucrative proposition for thieves, which could cause more users to scrutinise the level of protection offered by Touch ID.

Read more: Apple sheepishly releases iOS 8.0.2 after 8.0.1 debacle (opens in new tab)

"We are talking about putting a lot of financial transactions though the iPhone, and that money will incentivize criminals to refine the process, and that could open up a scenario where there is risk to the consumers," Rogers added.

Barclay has been writing about technology for a decade, starting out as a freelancer with IT Pro Portal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things.