As he explained to Ars Technica, the hack was easier than he expected – instead of the week or two he hoped would take him to do it, it took him 30 hours, and he says with better preparation it would have taken approximately half an hour.
“You basically can do it at home with inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs. And it will only take you a couple of hours,” he shared. “The techniques are actually several years old and are readily available on the Internet.”
Nevertheless, he considers Touch ID to be a very reliable fingerprint system, but says that Apple should have touted its convenience, and not claimed it was safe.
Lookout security researcher Marc Rogers has tried to replicate Starbug’s hack, and has managed to do it with some changes to make it easier.
“Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial. Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician,” he wrote, and shared his own take on the hack.
“TouchID is not a ‘strong’ security control. It is a ‘convenient’ security control,” he says, pointing out that it will protect your data from a street thief that grabs your phone or in case you lose your phone, but not from a targeted attack.
“A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face,” he added.
But while it got the most attention, Touch ID is not the only security feature to have been showcased by Apple when releasing the new iPhones and iOS7 – check out the reactions from the security community to iOS 7 to learn more about them.
For in-depth information on this new release, read the free guide to iOS 7.