2013-09-30

Co.Labs

Meet One Of The Hackers Who Cracked Apple’s Touch ID

The hackers who broke through the iPhone’s new Touch ID sensor (in less than a week) didn’t just do it to thumb their nose at Apple.



Last week a group of hackers at the Chaos Computer Club in Berlin announced they had already bypassed the Touch ID, the flagship security feature of the iPhone 5s. The hack took quite a bit of the “wow” factor away from the device, which had already been greeted with apprehension by the press and public because of the questions biometrics, like any new consumer technology, raise. Here’s what Frank Rieger, one of the hackers who broke through Apple’s Touch ID, told me when I asked him why they did it and what the implications–-whether secure or not–-of consumer biometrics were.

Why hack the Touch ID in the first place?

Touch ID is the first instance of ubiquitous biometric identification that may lead to a world where nearly every activity you conduct–-online or offline–-will be tied to your person. Anonymity will be a thing of the past. In order to prevent this from happening, showing that fingerprint biometrics is fundamentally insecure and should be avoided is a useful step. Also, the tech press was going overboard with its security claims, which had no base in reality. So we just had to break it.

Apple says that Touch ID requires a live, unsevered finger from the original user who set up his prints to work, because the sensors recognized the subdermal layer of the skin, not the superficial one–-but your hack seems to prove otherwise.

Apparently their "sub-dermal"-tech is just a fancy way of saying "higher resolution." The sensor could be circumvented by exactly the same process as all other sensors we broke, just refining the process a bit.

Is there any doubt in your mind that you have successfully cracked the Touch ID sensor? There are no possible flaws on your part that lead to false positives?

Another person with the fake fingerprint on his finger unlocking the phone, as shown in the video, leaves no room for false positives.

If it is as easy to hack the Touch ID as you claim, do you think Apple knew about this ease before you did it?

I can only speculate about that. Authentech, the company Apple acquired for the fingerprint technology, should have known. The methods for circumventing these sensors are known for more than 10 years now. Maybe they decided that it would be "secure enough" for their purposes, which is foolish. If they have the vision of ubiquitous biometric authentication, low security might be less important than ease of use. You should ask Apple.

You think fingerprint biometric security is actually less secure than passwords. Why?

Because you can change passwords and it is not trivial to extract your password from you, if you don't want to disclose it. If you get arrested, your phone locked with a good password and activated encryption requires a lengthy forensics process to unlock, with a judge regulating it. With a fingerprint, they just swipe the phone across your handcuffed hands and have access to your data.

Your hack is quite complex. The person would need to acquire a fingerprint copy, scan it, mold a replica, and get the person's iPhone. Do you think this is ever likely to happen on a mass scale?

Since the fingerprint can be acquired easily from the phone itself, there will certainly be criminals offering the process as a service to unlock stolen phones. Also, intelligence agencies will certainly use it. So if it happens on a mass scale it is not really important. It can be done in cases where people have a false sense of security, which we want to prevent.

What are the societal implications of everyone having a fingerprint sensor on their phones?

The new biometrics push is aimed at forcing ubiquitous authentication on mobile device users. People should refuse to use fingerprint biometrics, especially with the next generation of phones where patents show that the fingerprint may be taken every time you use the phones touchscreen. We need to defend and preserve our freedoms, and being not authenticated at every single thing we do is one of them.

Before I let you go tell me: If biometrics aren’t the best way to secure your phone, what is?

Enable encryption, set a reasonably long passphrase, don't keep data on the phone that would cause you to have a sleepless night when your phone is stolen or lost.

[Image: Flickr user Randychiu]






Add New Comment

2 Comments

  • ShitIconSays

    I dont see how this is a "hack" it isnt THAT easy to extract someones fingerprint off of their phone.. and who's to say its the right fingerprint? i regularly touch my home button with other fingers other than the one registered on my touch id.. 

  • stevon

    Are you kidding me?  " it is not trivial to extract your password from you" ??  Really?  I can see the passcode someone enters on their phone from several feet away. That's pretty easy to "extract" if you ask me.  This Touch ID is a perfect combination of simplicity and security.  If the phone is stolen, it can be remotely wiped quite easily long before paying someone like you to break into it.  You have to live in reality, man. All methods of security are susceptible to being compromised. Touching my thumb to my phone is MUCH better than having to enter elaborate passwords every time I want to do something. And, it's far more secure than using face recognition or my voice which I am pretty sure could be much more easily spoofed than a fingerprint.

    The truth is that those little microchips in our credit cards and this NFC stuff is FAR FAR more susceptible to someone ripping off your info without even having to steal your wallet or your device. This Touch ID is a brilliant move by Apple, and is a big reason I decided to order a 5s over a 5c.