CCC hackers say they cracked Apple’s Touch ID

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Hackers from the Chaos Computer Club (CCC) claim they have bypassed Apple’s Touch ID, the new security feature that uses a sensor embedded in the new iPhone 5S’ home button to allow users to authenticate themselves to the device via their fingerprint, by using “easy everyday means”.

“Apple had released the new iPhone with a fingerprint sensor that was supposedly much more secure than previous fingerprint technology. A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days,” pointed out one of the members is a blog post published this weekend, then added that their testing discovered that Apple’s sensor has just a higher resolution compared to the sensors so far.

“A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID,” he explained, and the successful “attack” has been demonstrated in this video (notice that the demonstrator uses one finger for enrolling and the other for authenticating):

What’s interesting to note is that the method for faking a fingerprint has been detailed nearly ten years ago by the hacker who led this testing, and it apparently worked just fine when they increased the resolution of the photo of the finger.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, commented CCC spokesperson Frank Rieger.

They have also pointed out that users can be forced to unlock their phone against their will when being arrested, but can’t always be forced to give up their passcode.

Sophos’ Paul Ducklin also shared some excellent points about why using the fingerprint authentication method is not such a good idea, but admits that it’s better than nothing for those users who eschew passcode use because it’s inconvenient.

It now just remains to be seen whether their bypass will qualify for the crowd-sourced prize offered for the hacking of the feature.

For in-depth information on this new release, read the free guide to iOS 7.