Summary: So much for Apple's newest security trick. Alas,
it seems that an old way of beating fingerprint scanners works on the
new iPhones too.
It's official. Security researchers Nick DePetrillo and Robert Graham have confirmed Germany-based Chaos Computer Club (CCC) hackers’ claim that they bypassed the fingerprint reader in Apple's iPhone 5s, called "Touch ID".
 |
| Apple iPhone 5s Touch ID fingerprint scanner isn't really all that secure after all. (Credit: Apple) |
There was nothing fancy about this hack. As the CCC explained, "First, the fingerprint of the enrolled user is photographed with 2400 [dots per inch] DPI resolution.
The resulting image is cleaned up, inverted, and laser printed with
1200 DPI onto a transparent sheet with a thick toner setting. Finally,
pink latex milk or white wood glue is smeared into the pattern created
by the toner onto the transparent sheet. After it cures, the thin latex
sheet is lifted from the sheet, breathed on to make it a tiny bit moist,
and then placed onto the sensor to unlock the phone."
That's it. No fancy magical hacker tricks. No cyber-ninja stealth entry
into Apple's headquarters at 1 Infinite Loop in Cupertino, CA. Simply
the same-old kitchen-sink technology that's been used to break
fingerprint scanners for years.
For accomplishing this, Starbug, the first hacker to show off the method
has been awarded more than $11,000 and other swag. including bottles of
alcohol, a portrait, a book of erotica, and a free patent application.
Not bad!
DePetrillo and Graham had been sure that the iPhone 5s’ fingerprint
scanner could be breached. What surprised them was how easy it was. Graham wrote, "We claimed it'd be harder. We
assumed that a higher resolution sensor wouldn't be so simply defeated
with just a higher resolution camera. We bet money. We lost (and Starbug
of the CCC won)."
Graham continued, "Many people claim this hack is 'too much trouble.'
This is profoundly wrong. Just because it's too much trouble for you
doesn't mean it's too much trouble for a private investigator hired by
your former husband. Or the neighbor's kid. Or an FBI agent. … This sort
of stuff is easy, easy, easy -- you just need to try."
That said, this "doesn't mean Touch ID is completely useless." wrote
Graham. "Half the population doesn't lock their phone at all because
it's too much trouble entering a 4 digit PIN every time they want to use
it. If any of them choose to use Touch ID security instead of no
security, then it's a win for security."
Just keep in mind that if your job requires you to be secure on your
phone, the iPhone 5s’ Touch ID isn't the fail-proof security method that
you might have thought it would be.
~ Steven J. Vaughan-Nichols
0 comments:
Post a Comment