September 23, 2013

Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.

By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch.

The fact that fingerprints can be lifted is not really up for debate— CSI technicians have been doing it for decades. The big question with TouchID was whether or not Apple could implement a design that would resist attacks using lifted fingerprints, or whether they would join the long line of manufacturers who had tried but failed to implement a completely secure solution.

Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.

First you have to obtain a suitable print. A suitable print needs to be unsmudged  and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone. Try it yourself. Hold an iPhone in your hand and try the various positions that you would use the phone in. You will notice that the thumb doesn’t often come into full contact with the phone and when it does it’s usually in motion. This means they tend to be smudged. So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.
Screen Shot 2013-09-23 at 5.43.41 PM

Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original.

So now what? If you got this far, the chances are you have a slightly smudged print stuck to a white card. Can you use this to unlock the phone? This used to work on some of the older readers, but not for many years now, and certainly not with this device. To crack this control you will need to create an actual fake fingerprint.

Screen Shot 2013-09-23 at 5.43.29 PM

Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer. First of all, you have to photograph the print, remembering to preserve scale, maintain adequate resolution and ensure you don’t skew or distort the print. Next, you have to edit the print and clean up as much of the smudging as possible. Once complete, you have two options:

  • The CCC method. Invert the print in software, and print it out onto transparency film using a laser printer set to maximum toner density. Then smear glue and glycerol on the ink side of the print and leave it to cure. Once dried you have a thin layer of rubbery dried glue that serves as your fake print.

  • I used a technique demonstrated by Tsutomu Matsumoto in his 2002 paper “The Impact of Artificial “Gummy” Fingers on Fingerprint Systems”. In this technique, you take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called “etching” which washes away all of the exposed copper leaving behind a fingerprint mold. Smear glue over this and when it dries, you have a fake fingerprint.

Screen Shot 2013-09-23 at 5.36.13 PM

Using fake fingerprints is a little tricky; I got the best results by sticking it to a slightly damp finger. My supposition is that this tactic improves contact by evening out any difference in electrical conductivity between this and the original finger.

So what do we learn from all this?

Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky.  Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it. However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.

TouchID  is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.

Today, we have more sensitive data than ever before on our smart devices. To be honest, many of us should treat our smartphone like a credit card because you can perform many of the same financial transactions with it.  Fingerprint security will help protect you against the three biggest threats facing smartphone users today:

  • Fingerprint security will protect your data from a street thief that grabs your phone.

  • Fingerprint security will protect you in the event you drop/forget/misplace your phone.

  • Fingerprint security could protect you against phishing attacks (if Apple allows it)

Fingerprint security has a darker side though: we need to carefully evaluate how its data is going to be managed and the impact it will have on personal privacy.  First and foremost is the question of how fingerprint data will be managed. As Senator Al Franken pointed out to Apple in his letter dated September 19, we only have ten fingerprints and a stolen or public fingerprint could lead to lifelong challenges. Just imagine your fingerprints turning up at every crime scene in the country!

The big questions here are:

  1. What data does Apple capture from a finger as it is enrolled?

  2. How is this data stored and how is it accessed?

  3. Can this data be used to recreate a user’s fingerprint mathematically or through visual reconstruction?

In a similar fashion, fingerprints are viewed quite differently to passwords and PINs in the eyes of the law. For example, the police or other law enforcement officials can compel you to surrender your fingerprints, something they currently can’t do quite as easily with passwords or PINs despite some recent judicial challenges to that position.

As a technology, fingerprint biometrics has a flaw that’s likely to be repeatedly exposed and fixed in future products. We shouldn’t let this distract us or make us think that  fingerprint biometrics should be abandoned, instead we should ensure that future products and services are designed with this in consideration. If we play to its strengths and anticipate its weaknesses, fingerprint biometrics can add great value to both security and user experience.

What I, and many of my colleagues are waiting for (with bated breath), is TouchID enabled two-factor authentication. By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger.  Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses.

Imagine a banking application where on startup you use a fingerprint for convenience – it’s nice and quick and only needs to ensure the right person has started it. However as soon as you want to do something sensitive like check a balance or transfer some funds we kick it up a notch by asking for a two factor authentication – the fingerprint and a 4 digit pin. This combination is strong enough to protect the user against most scenarios from physical theft through to phishing attacks.

If implemented correctly, TouchID enabled two-factor authentication in enterprise applications could be a good defense against phishing attacks by attackers like the Syrian Electronic Army. You can trick a user into giving up any kind of passcode but, it is much harder to trick a user into giving up his or her fingerprints from the other side of the world.

Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.

For starters, Apple —can we have two-factor authentication please?

27 comments
  1. Michael Scrip says:

    Great read!

  2. kdarling says:

    Why $1000 of equipment? Cameras scanner printers are not that much.

    PS. It’s “bated breath”. Not baited!

  3. Good work, and great explanation. Perhaps another way of doing two-factor could be to use the front camera and face recognition, or that could be combined for three-factor including a PIN.

  4. While I agree that the methodology you described is indeed complicated, the Chaos Computer Club actually circumvented the fingerprint sensor by just taking a high resolution image of the fingerprint: http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

    Of course your other points (Thumb rarely touching the phone etc.) still hold true.

  5. (Whoops, you actually mention the CCC method. Well, I guess that’s what I get for commenting before reading the entire thing. Feel free to delete my comments)

  6. Emanuele says:

    Great work man and great explanation!
    Thanks,
    Emanuele

  7. Marc Hill says:

    To those of you commenting about the CCC method. I think you need to go back to the article and reread it with the update. They describe the exact method given above. Stating that their earlier method was in fact not viable. In fact the wording of the CCC update is so similar to the above that I am surprised that Marc Rogers isn’t the author of the CCC method.

  8. Wesner Moise says:

    You should note that an attacker has a 48 hours window in addition to the five attempts limit before TouchID is disabled and PIN access is required.

  9. Jesse Hollington says:

    “A dedicated attacker with time and resources to observe his victim and collect data” …. could probably be looking over your shoulder at some point while you enter your passcode, thus eliminating the need to worry about bypassing Touch ID anyway.

  10. Jesse Hollington says:

    It’s also worth considering that in some ways Touch ID — or even your passcode — actually is a two-factor authentication system. The device in your hand — the thing you have — is the second factor.

    Remember that there’s a world of difference between authentication requirements for a device that is almost always on (or at least relatively near) your person and an online service that can accessed by anybody with a web browser.

  11. Michael Ellis Day says:

    At risk of being called a prescriptive grammarian about this, I wince every time I see this exploit referred to as TouchID being “hacked.” TouchID has been “spoofed” but not yet hacked. You’ve convinced an identification system that you’re someone other than you actually are — that’s spoofing. If someone accessed the data stored on chip inside the iPhone and used that to extract fingerprint info, that would be hacking. Now, if someone goes to an unattended computer, finds the user ID and password written down on a slip of paper in the drawer, and uses this to log on to someone else’s account, is that hacking? If someone uses a stolen social security number as ID over the phone, is he or she a hacker? The mass media is extremely sloppy about using “hacking” to mean “any unwanted access to a system” and this only fosters unnecessary confusion and hampers real education about security issues. Let’s not be that person.

  12. Steve says:

    Apple could offer a pro option: Require three fingers in a certain sequence. That’s 720 possibilities, not counting toes.

  13. Ivan Johnson says:

    My wife asked, “Couldn’t you just wait until they’re asleep and then use their finger to unlock the phone?”
    Not that *I* would want to hide what’s on my phone from her indoors, but that seems a lot easier than typing in a PIN when you’re unconscious…

  14. After seeing the whole process my main problem I have with that hack or spoof was verified: In a real life situation I assume it won’t be that easy to find that “perfect” fingerprint they used (especially not on an iPhone glass).

    So you have to find that one and be sure that it is indeed the right finger. If one of the two is wrong you may use up your 5 attempts quite fast … and then “game over”!

    Not counting mistakes you may make during the process and destroy the print.

  15. Jeff B. says:

    Yeah, I think the solution is to enable a combined Passcode option. And it would be great to see some granularity there. For example, Apple could issue an Auth API wherein developers could require Fingerprint only, Passcode only, both, or Passcode after a certain time elapsed, or for a certain window of time, etc. I suspect this is what they are doing, and more with iCloud Keychain. Because like the API in 2008, the real win is to make this very solid, and then to open it up to a broad array of third party developers that can give us all manner of payment, banking, ticketing, security/ entrance protection, web password management, etc.

    There’s only one company in the world with the right balance or dedication, User Experience throughfulness, engineering talent, back end resources, and overall thoughtfulness in privacy to really solve these large scale problems.

    Go Apple! Bring us the ubiquitous, universal, authentication token/API.

  16. Phil says:

    I couldn’t agree more. Touch ID is sufficient for unlocking and some applications, but sensitive information should require 2 forms of ID.

    I think Apple will use 2 factor authentication if they move to mobile payments. This would be a very secure way of making payments. Billions in credit card fraud could be eliminated.

  17. Xavier says:

    So but this is all rediculous. 50% of ppl don’t lock their phones. for the access required, yes, it would be easier to just wait till the person was asleep. if you had that kind of access, you could already rob their house.

    But i am disappointed that Apple didn’t properly test this. They were ready to use this for payments but after this good luck.

  18. Mike says:

    I think Apple should just give us options to customize when a password is required. I would be happy if I could choose 3 tries and 60min (instead of 5 and 48h).

  19. “Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about.”.
    Lots of people are calling for “perspective” and playing down the importance of these ‘hacks’ but here’s the thing: the demonstrations might not be a worry to the consumer but they should be a massive worry for security and risk management professionals. This fingerprint technology is something that’s being seriously touted for payments!
    The ‘hack’ and the ad hoc responses that TouchID is still “good enough” actually shows how biometrics practice falls short of professional security norms. Apple released TouchID with no security specs, no standards, no test results, no independent evaluation … just an anecdote that a dead finger wouldn’t activate the sensor. Really? Then they go to ground while the device is attacked and the myths debunked. Still no comment from Apple.
    The truth is that there are no methodologies for testing in-field performance of biometric security, nor their ability to withstand concerted attack. And there is no standard for “liveness detection” — it’s just a magic property that vendors feel ok to brag about with no substantiation. Meanwhile, consumers get most of their understanding about biometrics from sci-fi movies.
    Consumer biometrics are all about convenience not security. Which would be fine if the manufacturers were honest about it.

  20. cheng says:

    “But i am disappointed that Apple didn’t properly test this. They were ready to use this for payments but after this good luck.”

    As Marc already said, the answer is a two factor authentication, a banking app can require both your finger and a password before it authorises payment.

    Granted, at first I also thought that Apple could change banking as we know it by using only our fingerprint as a password. However even if that dream has been dashed, at least scams that steal your password such as phishing can still be eradicated.

  21. “But i am disappointed that Apple didn’t properly test this”

    Agree, that’s the point I am wondering most. This should have been the obvious test for Apple and the Biometric-Company they recently bought.

    On the other hand – if they tested this and knew it could be hacked that way – they could have advertised it differently.

    I think it’s still one of the most developed fingerprint scanner for the consumer area and for a lot of businesses (exclude high security firms and areas) … but they gave an impression for the first two weeks they couldn’t keep up with. Unfortunately this may hurt this in general great product unnecessarily,

  22. David says:

    Fingerprint experts in a John le Carré novel? Never! Far more Ian Fleming. Tradecraft is not CSI.

  23. Yuri Vlanovich says:

    Nice to see Apple PR and Lawyers working. “Write it again Sam” (:

  24. Andy Durdin says:

    “Fingerprint security could protect you against phishing attacks (if Apple allows it)”

    That’s a far out claim. How can the user’s fingerprints enable the user to distinguish between a bank’s real site and a fraudulent imitation? Can you elaborate?

  25. Alex Szczepaniak says:

    Take the cloud to the next level (ubiquitous high-speed transfer) and the gadgets are merely stylish shells – swipe your finger across any “shell” and your preferences and apps all there – in a hotel room, on a bus, in your neighbors house, in the Virgin Airline seat. All it requires is the 2nd factor verification. Battery dead? Need to make a call, borrow your buddy’s Iphone 9 and swipe your finger and get temporary access to all your “cloud opted” apps: e-mail, contacts. The long view is exactly this: Apple takes Google Chrome to the next level with a whole line of stylish, high-performing shells and cloud that binds them all with two factor finger-swipe access thru any apple device. If you want to lug your 4TB flash drive around with on your device, its there… but why bother if the hotel your are staying at is Apple-enabled….

  26. William Ferris says:

    Actually the 2 banking apps that I currently use to access my accounts already use 2nd factor verification even if that was not the original intention. One pin to unlock the phone (yes, I do use a pin to unlock) and another password to gain access to my banking information.

    So for any thief to access my bank information using my phone they would need both my PIN or Fingerprint and my various passwords.

  27. Derek says:

    They continually state that we leave fingerprints everywhere, and that is what makes TouchID so easy to hack, but…

    Ignoring that most people have their iPhone on their person 99% of the time, I’m genuinely interested in whether or not they can back up their claim of TouchID’s insecurity.

    To prove their point they need to answer several directly related questions…

    • Is Chaos willing to post a video where they lift a print from a different surface, say, a pop can? A doorknob? A car key?

    • Can they post a video outlining how they would go about stealing the iPhone, however briefly, to impose the hack?

    • Can they rate the security of this authentication on a scale with other passcode hacks, on both iOS and Android devices, where you can easily find & follow step-by-step instructions?

    • Can they offer a, ease-of-use comparison of this with software-automated hacks of Android’s disc encryption?

    • Can they post the total cost of this technique and at what point, in their educated opinion, the average consumer draws his budget?

    • Most importantly, given that 30-50% of all smartphone users (not just iPhone users) do not secure their devices, can Chaos give any feedback as to how good or bad TouchID *really* is for average users (which make up most of the market)?

Leave a comment