A hacker group in Germany claims to have defeated Apple’s new Touch ID biometric security system by using a modified fingerprint lifting and “fake finger” creation technique. According to a detailed walkthrough of the bypass provided by the group’s biometric hacking team, the iPhone 5S’ Touch ID hardware is, in effect, merely a higher resolution version of existing sensors. This means the system can be defeated using common fingerprint lifting techniques, although it should be noted that this needs to be done at a more refined level. The bypass is demonstrated in the short video below:
The system is detailed in a method which requires obtaining the original user’s fingerprint. The following was said regarding the method:
First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
CCC spokesman Frank Reiger said the following regarding the whole ordeal:
We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token. The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.