touch id hack

Touch ID in the iPhone 6 and iPhone 6 Plus has improved, but it’s still vulnerable to attack according to Lookout Mobile Security researcher Marc Rogers. Rogers says that the same fake fingerprint hack he used to bypass Touch ID on the iPhone 5s works flawlessly on the new handsets.

The improvement comes in the form of better accuracy, thanks to its higher resolution scanner, which Rogers has found makes it harder to clone fingerprints. But, he says, Apple has done nothing to tighten up Touch ID’s security in the iPhone 6, leaving the door open for determined hackers.

All of this being said, that the fake fingerprint attack still works should not concern consumers, as it’s an extremely complex process.”I don’t think people need to worry just yet,” Rogers tells CNET. “But there are distinct flaws that could lead to problems down the line.” From his 2013 report:

First you have to obtain a suitable print. A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone.

Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape.

And even after all of this work, all the thief would have thus far is a slightly smudged print on a white card. They’d still have to create the fake fingerprint, which is the part that requires the most technical skill and materials—in fact it’s the hardest part of the entire process according to Rogers.

“The sky isn’t falling,” the researcher jokes, but the issue is a bit worrisome with Apple Pay launching next month. Announced during this year’s iPhone event, Apple Pay will allow users to pay for things at physical stores using their iPhone 6 and 6 Plus, and the Touch ID feature for authentication.

[Lookout blog via CNET]

  • Dan

    But does it bend?

    • YerDaddy

      They ALL bend. Yep, the 5, 5s, 6, 6+, and ALL ipads will bend. NO BIG DEAL. Just don’t be an id1Ot and you’ll be fine.

      • Dan

        Was kidding. My 5S never bent lol

      • YerDaddy

        Well. My old 5 which was already foobared was tested the same way by me, and it bent just the same. Even the weak point was in the same location – right behind the volume down button.

      • JayDee917

        I doubt anyone’s iPhone 5 bent after a couple day of regular use of being in a pocket though.

      • YerDaddy

        That’s because it’s small and fits easily in any pocket, unlike the 6+. It’s a non issue that Lou (unbox therapy) is cashing in on via click bait.

      • Mike

        My iPhone 5 bent by the volume button area after a week of usage. When I went to the apple store apparently I wasn’t the only one to report it.

  • This is exactly why you need to use a strong password (at least ten characters) utilising alphanumerics and symbols since a cloned fingerprint is useless without the password (assuming your device is turned off).

    • Dean Johnson

      Why? As they explained in the article, it’s quite difficult for an average joe with limited time and resources to copy a clean fingerprint. And why is a cloned fingerprint useless without a password?

      • Why? Because if you have weak passwords it’s a lot easier to bruteforce your device. Why go to the trouble of protecting your device with your fingerprint if you aren’t also going to use a secure password?

      • have_gun_will_travel

        Because the first time your iPhone is powered up, after being turned off, the fingerprint sensor will not function. It must FIRST be unlocked with the pass code.

  • Fanboy 

    Apple fixed that security hole with iOS 8.0.1! It renders your Touch ID useless so nobody can use it! Not even yourself! 😀

    • Ricky

      LMAO

    • Too bad Apple pulled it. I really need this vital bug fix. /Sarcasm

  • Ricky

    I think this is hardly worrisome I mean I always wipe my phone with a soft cloth to make sure that there’s nothing making it look dirty hence the fingerprints dissapear.

  • Rowan09

    With all that work the person should already know my password. If you lose your phone wipe it clean for safety.

  • WolfgangHoltz

    iOS 8.0.1 improves the Touch ID to a state beyond Apple produced up to date.

  • mwpitt52

    How come you guys are not reporting on the iPhone 6 plus bending story? I thought you were on top of all the stories Cody? Ignoring this one on purpose?

  • Ryan Bartsch

    But the question is does it BLEND???

  • The whole concept behind fingerprint scanners is and will always be vulnerable, Just like the 4 pin code. A fingerprint is a physical password and if that password is copied then that finger is now useless! This technology is just another stepping stone until we get to a cheap iris scanner or DNA reader. Until then its your choice, use your memory or your prints.