The New iPhone Fingerprint Sensor is Hackable

Monday, September 23, 2013 - 10:46 AM

(Apple)

When Apple unveiled its new iPhone two weeks ago, one of the immediate questions concerned the phone's new fingerprint sensor. The sensor's supposed to automate security. Rather than typing in a password every time you unlock your phone, you just press your finger to the phone's home button. It's supposed to create a world wherein stolen iPhones are useless to thieves. But does it actually work? 

This weekend, a group of hackers called the Chaos Computer Club posted a video showing themselves hacking the iPhones fingerprint security, just two days after the phone was officially released. 

 

In the video, the hackers photograph a fingerprint from a glass surface, and then print out a copy of the print out on a thin film. Because the iPhone's sensor depends on essentially taking a high resolution photo of your fingerprint, a fake fingerprint printed at a sufficiently high resolution does the job just as well. 

So yes. There is a circumstance in which a highly motivated hacker can recreate your fingerprint and break into your phone. That said, Apple's sensor can be vulnerable to this kind of hack and still be fairly good security. If the main purpose of a locked phone is to keep out a snooping friend, or a thief with merely human levels of tech aptitude, then the system still works. Whether you trust Apple with your fingerprints, of course, is another story entirely.

Tags:

More in:

Comments [4]

Francisco from redwood city, ca

This is a hack but everything is hackable. This is not so much about how hackable something is but whether its secure or not.

Sep. 29 2013 02:44 PM
Ben from Dallas, TX

This isn't a hack. It's more like someone who overhears what your pass code/password is and then uses it to unlock your phone. The worry that someone gets your fingerprint from your iPhone isn't of issue here, because they got your fingerprint from another surface you touched. If you setup your iPhone normally, then you can use the free and included Find My iPhone service to:

1) track your phone and find the cuprit
2) sound a loud alarm (even if the phone is on vibrate/silent)
3) erase the phone's data

Also:

4) it's already not going to activate for someone else since it's locked by your iCloud account and password
5) if they power off the phone, the Touch ID function is disabled until you unlock your phone using a pass code the first time after powering back on, so your fingerprint is useless

In other words, we're still waiting for someone to hack Touch ID. It may be done eventually, but chaos computer club didn't do it yet.

Sep. 24 2013 11:46 PM

this type of 'hack' is not surprising. It's less of a hack and more of a method of impersonation that requires technology and effort.

It would be a concern if somehow the digital record of the finger print could be stolen to be used on the phone and in other fingerprint recognition systems or if the encrypted signature that the phone sends to make on-line purchases could be captured and reused in order to hack the person's on-line account.

This type of impersonation is available to organizations that are sophisticated and will have access to enough devices to make it worth their while, such as the border security police ( http://wny.cc/18PuOdr )

To foil government invasion of privacy, I'd like to have a "wipe this phone right now" feature - perhaps a fingerprint from another finger that alerts the phone to wipe itself.

Sep. 23 2013 12:30 PM
Mason from Chicago

> If the main purpose of a locked phone is to keep out a snooping friend, or a thief with merely human levels of tech aptitude,

The thing about hacks is they never get harder. Look at WEP (the early version of wifi security). Initially, you needed expensive hardware and technical knowhow. Eventually, it came down to making sure you had a capable wireless card (standard off-the-shelf wifi cards work) and literally running a piece of software and clicking on the network name you wanted to decrypt.

Sep. 23 2013 11:54 AM

Leave a Comment

Register for your own account so you can vote on comments, save your favorites, and more. Learn more.
Please stay on topic, be civil, and be brief.
Email addresses are never displayed, but they are required to confirm your comments. Names are displayed with all comments. We reserve the right to edit any comments posted on this site. Please read the Comment Guidelines before posting. By leaving a comment, you agree to New York Public Radio's Privacy Policy and Terms Of Use.

Supported by

 

Embed the TLDR podcast player

TLDR is a short podcast and blog about the internet by PJ Vogt and Alex Goldman. You can subscribe to our podcast here. You can follow our blog here. We’re also on Twitter, and we play Team Fortress 2 more or less constantly, so find us there if you like to communicate via computer games from six years ago.

Subscribe to Podcast iTunes RSS

Feeds