German hackers say old technique can beat Apple's Touch ID
A high-quality scan of a person';s finger and a bit of latex -- an old technique -- can defeat Touch ID, the Chaos Computer Club claims
IDG News Service - Apple's Touch ID authentication system can be defeated using a well-honed technique for creating a latex copy of someone's fingerprint, according to a German hacking group.
The Chaos Computer Club (CCC), which hosts an annual hacking conference and publishes computer security research, wrote on its blog that their experiment shows that fingerprint authentication "should be avoided."
Apple introduced Touch ID with its latest high-end iPhone 5S on Sept. 10. A person's "fingerprint is one of the best passcodes in the world. It's always with you, and no two are exactly alike," according to the company's website.
A hacker who goes by the name Starbug found that while Touch ID scans at a higher resolution, it can be beaten by increasing the resolution of the victim's fingerprint.
The CCC posted a video of what it wrote is a successful attack. Faking the print involves photographing the victim's fingerprint at 2400 DPI. The image is inverted and laser printed at 1200 DPI onto a transparent sheet using a "thick toner setting," according to the CCC.
Pink latex milk or white wood glue is smeared into the pattern created the toner. After it cures, a sliver of latex is lifted from the sheet, and blowing on it gives a bit of moisture like that on a human finger. It then can be placed on the iPhone's fingerprint sensor, the CCC wrote.
The technique is not new. "This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market," the CCC wrote. Apple officials did not have an immediate comment on the CCC's findings.
Security experts have long warned that fingerprint authentication should not be solely relied upon, but rather used in concert with other technologies. Photos of fingerprints and molds have successfully bypassed fingerprint checks.
Touch ID is intended to reduce the number of times a person must enter a passcode, but Apple still requires a passcode in some circumstances, such as restarting the phone and if the devices hasn't been unlocked in two days.
Changes to the fingerprint settings also require a passcode, which can be configured to be longer and more complex than four digits.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!