Apple’s Touch ID fingerprint scanner is a step up from passcodes for protecting iPhones, but it’s far from totally secure, as a researcher showed on Monday.
Lookout Mobile Security’s Marc Rogers fooled Touch ID on Apple’s new iPhone 6 by crafting a false fingerprint from a do-it-yourself forgery kit that cost about US$200 to assemble.
Rogers and the Chaos Computer Club performed similar experiments when Touch ID was introduced in the iPhone 5s last year.
To create his bogus fingerprint, Rogers first lifted a print off a shiny surface.
“You have to have a perfect print. What I found is that you don’t get good prints from the iPhone,” he told TechNewsWorld. “You get smudges. You get partials. You can use a partial, but it has to be at least the size of the Touch ID sensor.”
After finding a good print, Rogers sprinkled it with fingerprint powder and photographed it.
Not for Street Scum
Rogers then brought the image of the fingerprint into Photoshop where he cleaned up the photo.
He then printed the pristine photo on acrylic plastic — the kind used for projector transparencies will do. The plastic copy was used to burn the print onto a photo-sensitive PVC board, where it was etched to make the details of the print stand out.
From the etched fingerprint, Rogers created a mold, which he filled with Elmer’s Glue to create a flexible pad with a print that could be used to fool Touch ID.
While the process for creating the phony fingerprint is relatively simple, it’s also time-consuming.
“I had unlimited attempts to do this because this was my phone,” Rogers explained. “There was a lot of trial and error, and it took me eight hours to run through the process.”
With practice, Rogers believes he might be able to get the process down to two or three hours, “but it does take a certain amount of skill so you’re not going to find street criminals doing this,” he said.
“Spies, law enforcement — they can do this kind of stuff,” Rogers added.
Apple Pay Raises Risks
There are far simpler ways to foil Touch ID than fabricating fingerprints, noted Adam Ely, cofounder of Bluebox.
“You can club the person on the head and put their finger on the reader,” he told TechNewsWorld.
Whatever method is used to deceive Touch ID, Apple has raised the stakes for doing so by tying the technology to both offline and online authentication — offline though Apple Pay and online as a substitute for usernames and passwords.
“We know this is an arms race,” Lookout’s Rogers said. “We know that criminals adapt, evolve and get better at doing things. All they need is incentive, and Apple Pay is incentive.”
Apple also may be providing a disincentive to beat Apple Pay through Touch ID.
“Stealing a victim’s phone and successfully duplicating their fingerprint is required to commit fraudulent transactions with Apple Pay,” Paco Hope, principal consultant with Cigital, told TechNewsWorld.
“If you want to steal something from a victim and commit fraud, it is easier to steal the victim’s wallet, photograph the credit cards and address details, and return the wallet,” he pointed out. “So even though there are feasible attacks on the sensor, that is not the weakest link in an individual’s financial security ecosystem.”
Better Than Status Quo
Apple is tempting hackers by tying Apple Pay to Touch ID, but it’s no substitute for mass credit card fraud, observed Catherine Pearce, a security consultant with Neohapsis.
“It’s not something you can easily do on a mass scale,” she told TechNewsWorld. “You have to do it for each phone, so even if [fingerprint faking] went mainstream, it won’t be on the same scale as card scamming.”
Moreover, imperfect as Apple Pay and Touch ID may be, they are still an improvement over existing systems, argued Bluebox’s Ely.
“Even with this less-than-probable Touch ID threat,” he said, “we’re still upping the security of digital transactions. We’re still lowering the risk for end users.”
I’m pretty sure my friends, the cashiers at Panera Bread, would reject someone pulling out a fake hand and an iPhone 6 to make a purchase. Heck, even the guys and gals at Best Buy would send up a red flag. And I know my favorite bartenders at TGI Fridays would cry FOUL!
So, what’s the point of this article? You guys are smarter than this!
On a scale of 0 – 10 (10 being best) I give this article a "0" on alerting Apple Pay users to genuine Touch ID threats.
The author repeated several times that his process requires a "perfect" print, and acknowledged that you can’t get one off the iPhone itself. As a former police officer I can attest that such "perfect" prints do not exist in the wild.
Even using his own print, obtained in ideal conditions, from ideal surfaces, it took the author 8 hours to crack Touch ID. Way more than enough time to remotely wipe a lost/stolen iPhone clean.