SD Times Blog: Apple Touch ID hacked by Chaos Computer Club

Well that didn’t take long. Apple’s new Touch ID fingerprint sensor for the iPhone 5s—marketed as the secure mobile alternative to passcodes—has been hacked by the Chaos Computer Club using so-called “easy everyday means.”

According to an update from Europe’s largest association of hackers, their biometrics team successfully bypassed the biometric security of Apple’s Touch ID. The hackers even posted a how-to video and set of instructions on how to crack the sensor.

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” said CCC hacker “Starbug.” “As we have said now for more than years [sic], fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints.”

So what exactly were the “easy everyday means” the CCC used?

Well, first you need to stalk an iPhone 5s user for as long as it takes for them to touch a glass surface leaving a fingerprint, and then take a high-resolution photo of the fingerprint of at least 2400dpi.

No hassle at all; you can knock that out on a lunch break, no sweat.

Then comes the even easier step. Invert and laser-print the photo onto a transparent sheet using a thick toner setting. Then smear pink latex milk or white wood glue into the pattern created by the toner onto the transparent sheet. When it dries, lift the thin latex sheet, wrap it around your own finger and place it onto the sensor to unlock the phone.

Because any old hacker has transparent sheets and pink latex milk lying around, and enough free time to act like an old-fashioned spy out of a 1970s espionage movie.

In all seriousness though, biometric scanners have been around for quite some time before Apple’s latest mobile innovation, and this method of cracking them is nothing new. It’s simply time and labor intensive, and not exactly practical.

iPhone 5s users have no need to worry that teams of nefarious European hackers are watching their every move with laser printers and latex milk at the ready. Still, truly concerned Touch ID users need only be aware of touching glass surfaces willy-nilly.

Another alternative is syncing your Touch ID sensor with something other than a finger, but that’s a decision every user needs to make for themselves.