2013-09-30

Co.Labs

Meet One Of The Hackers Who Cracked Apple’s Touch ID

The hackers who broke through the iPhone’s new Touch ID sensor (in less than a week) didn’t just do it to thumb their nose at Apple.



Last week a group of hackers at the Chaos Computer Club in Berlin announced they had already bypassed the Touch ID, the flagship security feature of the iPhone 5s. The hack took quite a bit of the “wow” factor away from the device, which had already been greeted with apprehension by the press and public because of the questions biometrics, like any new consumer technology, raise. Here’s what Frank Rieger, one of the hackers who broke through Apple’s Touch ID, told me when I asked him why they did it and what the implications–-whether secure or not–-of consumer biometrics were.

Why hack the Touch ID in the first place?

Touch ID is the first instance of ubiquitous biometric identification that may lead to a world where nearly every activity you conduct–-online or offline–-will be tied to your person. Anonymity will be a thing of the past. In order to prevent this from happening, showing that fingerprint biometrics is fundamentally insecure and should be avoided is a useful step. Also, the tech press was going overboard with its security claims, which had no base in reality. So we just had to break it.

Apple says that Touch ID requires a live, unsevered finger from the original user who set up his prints to work, because the sensors recognized the subdermal layer of the skin, not the superficial one–-but your hack seems to prove otherwise.

Apparently their "sub-dermal"-tech is just a fancy way of saying "higher resolution." The sensor could be circumvented by exactly the same process as all other sensors we broke, just refining the process a bit.

Is there any doubt in your mind that you have successfully cracked the Touch ID sensor? There are no possible flaws on your part that lead to false positives?

Another person with the fake fingerprint on his finger unlocking the phone, as shown in the video, leaves no room for false positives.

If it is as easy to hack the Touch ID as you claim, do you think Apple knew about this ease before you did it?

I can only speculate about that. Authentech, the company Apple acquired for the fingerprint technology, should have known. The methods for circumventing these sensors are known for more than 10 years now. Maybe they decided that it would be "secure enough" for their purposes, which is foolish. If they have the vision of ubiquitous biometric authentication, low security might be less important than ease of use. You should ask Apple.

You think fingerprint biometric security is actually less secure than passwords. Why?

Because you can change passwords and it is not trivial to extract your password from you, if you don't want to disclose it. If you get arrested, your phone locked with a good password and activated encryption requires a lengthy forensics process to unlock, with a judge regulating it. With a fingerprint, they just swipe the phone across your handcuffed hands and have access to your data.

Your hack is quite complex. The person would need to acquire a fingerprint copy, scan it, mold a replica, and get the person's iPhone. Do you think this is ever likely to happen on a mass scale?

Since the fingerprint can be acquired easily from the phone itself, there will certainly be criminals offering the process as a service to unlock stolen phones. Also, intelligence agencies will certainly use it. So if it happens on a mass scale it is not really important. It can be done in cases where people have a false sense of security, which we want to prevent.

What are the societal implications of everyone having a fingerprint sensor on their phones?

The new biometrics push is aimed at forcing ubiquitous authentication on mobile device users. People should refuse to use fingerprint biometrics, especially with the next generation of phones where patents show that the fingerprint may be taken every time you use the phones touchscreen. We need to defend and preserve our freedoms, and being not authenticated at every single thing we do is one of them.

Before I let you go tell me: If biometrics aren’t the best way to secure your phone, what is?

Enable encryption, set a reasonably long passphrase, don't keep data on the phone that would cause you to have a sleepless night when your phone is stolen or lost.

[Image: Flickr user Randychiu]