A European hacker group has announced a simple, replicable method for spoofing Apple’s TouchID fingerprint authentication system. “A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID,” claims the Chaos Computer Club, which demonstrated the hack in a video.
The technique is based on previous methods for spoofing fingerprint authentication systems, and needed only minor adaptation to be applied to the iPhone’s unusually high-resolution scanner. According to the CCC:
First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.
Apple has marketed TouchID both as a convenience and as a security feature. “Your fingerprint is one of the best passwords in the world,” says an Apple promotional video. “The technology within TouchID is some of the most advanced hardware or software we’ve put in any device.”
This method, while objectively fairly simple, will not be a practical threat for most users; it’s hard to imagine a situation in which photographing someone’s fingerprint in high resolution is easier than finding out their four-digit PIN.
But it’s still a clear way to gain unauthorized access to a device the user assumes is secure — and this is just the first successful method. The iPhone has fingerprint spoofing into a bigger target than ever; it’s reasonable to assume that more people will be able to hit it.
Whether or not this can be fixed with a software update is unclear. We’ve reached out to Apple for comment and will update if we hear back.