touch id hack

Touch ID in the iPhone 6 and iPhone 6 Plus has improved, but it’s still vulnerable to attack according to Lookout Mobile Security researcher Marc Rogers. Rogers says that the same fake fingerprint hack he used to bypass Touch ID on the iPhone 5s works flawlessly on the new handsets.

The improvement comes in the form of better accuracy, thanks to its higher resolution scanner, which Rogers has found makes it harder to clone fingerprints. But, he says, Apple has done nothing to tighten up Touch ID’s security in the iPhone 6, leaving the door open for determined hackers.

All of this being said, that the fake fingerprint attack still works should not concern consumers, as it’s an extremely complex process.”I don’t think people need to worry just yet,” Rogers tells CNET. “But there are distinct flaws that could lead to problems down the line.” From his 2013 report:

First you have to obtain a suitable print. A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone.

Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape.

And even after all of this work, all the thief would have thus far is a slightly smudged print on a white card. They’d still have to create the fake fingerprint, which is the part that requires the most technical skill and materials—in fact it’s the hardest part of the entire process according to Rogers.

“The sky isn’t falling,” the researcher jokes, but the issue is a bit worrisome with Apple Pay launching next month. Announced during this year’s iPhone event, Apple Pay will allow users to pay for things at physical stores using their iPhone 6 and 6 Plus, and the Touch ID feature for authentication.

[Lookout blog via CNET]