Apple's Touch ID Busted?

Forbes and others reported that a German computer group, Chaos Computer Club, has found a way to foil the sensor in Touch ID, Apple's biometric finger printer scanner for the the iPhone 5S.

The results and the methods used have yet to be corroborated (by anyone) but debate has already erupted on the internet.

These statements by reader makelvin argue the points I would have made so I'll just post them here.

Let me make one thing perfectly clear. There are no such thing as a 100% hack proof security measure. It does not exist. So the point of most security measure are to make it more and more difficult for unauthorized people to gain access to certain information that they should not have. So at the end, it about the trade-off between the amount of effort that it takes in order to obtain the unauthorized information you want to get.

In this scenario described by CCC, you will need a clear image of the fingerprint. They have to then scan it at 2400 dpi. Invert the image and print it out with a laser printer at 1200 dpi. They then pour milky latex or white glue to let it cure before peel it and try to use it on the sensor. How long did it take for the whole process to take? Did it take longer or shorter than trying to brute force 10,000 combination? And since the iPhone has a GPS with a Find My iPhone app; will the owner of the device have sufficient time to locate their stolen device and/or have its sensitive data whipped out before the hacker can break in?

The fingerprint sensor is not just about providing a better security measure than the PIN code. It is also about convenience while maintaining the necessary security. In the case of PIN code, people can try to brute force their way in with random combination; with fingerprint biometric, you HAVE to have a clear image of the authorized person’s finger. Without it, you have no chance of trying to break it at all.

So at end, regardless of whether CCC can accomplish what they described is real or not; they did not disprove the usefulness of the biometric sensor for iPhone. If someone truly want to disprove its usefulness, they need to hack in without needing the actual image of the person’s fingerprint. And they should be able to do within 15 minutes before the original owner have a chance to lock them out remotely. Until that happens, these type of demonstration is nothing more than just FUD to discourage people from using any additional security measure to protect their private information thereby allowing hackers easier access to other people data.


Author: Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale.