September 23, 2013

Why I Hacked Apple’s TouchID, And Still Think It Is Awesome.

By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch.

The fact that fingerprints can be lifted is not really up for debate— CSI technicians have been doing it for decades. The big question with TouchID was whether or not Apple could implement a design that would resist attacks using lifted fingerprints, or whether they would join the long line of manufacturers who had tried but failed to implement a completely secure solution.

Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.

First you have to obtain a suitable print. A suitable print needs to be unsmudged  and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone. Try it yourself. Hold an iPhone in your hand and try the various positions that you would use the phone in. You will notice that the thumb doesn’t often come into full contact with the phone and when it does it’s usually in motion. This means they tend to be smudged. So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger.
Screen Shot 2013-09-23 at 5.43.41 PM

Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original.

So now what? If you got this far, the chances are you have a slightly smudged print stuck to a white card. Can you use this to unlock the phone? This used to work on some of the older readers, but not for many years now, and certainly not with this device. To crack this control you will need to create an actual fake fingerprint.

Screen Shot 2013-09-23 at 5.43.29 PM

Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer. First of all, you have to photograph the print, remembering to preserve scale, maintain adequate resolution and ensure you don’t skew or distort the print. Next, you have to edit the print and clean up as much of the smudging as possible. Once complete, you have two options:

  • The CCC method. Invert the print in software, and print it out onto transparency film using a laser printer set to maximum toner density. Then smear glue and glycerol on the ink side of the print and leave it to cure. Once dried you have a thin layer of rubbery dried glue that serves as your fake print.

  • I used a technique demonstrated by Tsutomu Matsumoto in his 2002 paper “The Impact of Artificial “Gummy” Fingers on Fingerprint Systems”. In this technique, you take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called “etching” which washes away all of the exposed copper leaving behind a fingerprint mold. Smear glue over this and when it dries, you have a fake fingerprint.

Screen Shot 2013-09-23 at 5.36.13 PM

Using fake fingerprints is a little tricky; I got the best results by sticking it to a slightly damp finger. My supposition is that this tactic improves contact by evening out any difference in electrical conductivity between this and the original finger.

So what do we learn from all this?

Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky.  Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it. However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.

TouchID  is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.

Today, we have more sensitive data than ever before on our smart devices. To be honest, many of us should treat our smartphone like a credit card because you can perform many of the same financial transactions with it.  Fingerprint security will help protect you against the three biggest threats facing smartphone users today:

  • Fingerprint security will protect your data from a street thief that grabs your phone.

  • Fingerprint security will protect you in the event you drop/forget/misplace your phone.

  • Fingerprint security could protect you against phishing attacks (if Apple allows it)

Fingerprint security has a darker side though: we need to carefully evaluate how its data is going to be managed and the impact it will have on personal privacy.  First and foremost is the question of how fingerprint data will be managed. As Senator Al Franken pointed out to Apple in his letter dated September 19, we only have ten fingerprints and a stolen or public fingerprint could lead to lifelong challenges. Just imagine your fingerprints turning up at every crime scene in the country!

The big questions here are:

  1. What data does Apple capture from a finger as it is enrolled?

  2. How is this data stored and how is it accessed?

  3. Can this data be used to recreate a user’s fingerprint mathematically or through visual reconstruction?

In a similar fashion, fingerprints are viewed quite differently to passwords and PINs in the eyes of the law. For example, the police or other law enforcement officials can compel you to surrender your fingerprints, something they currently can’t do quite as easily with passwords or PINs despite some recent judicial challenges to that position.

As a technology, fingerprint biometrics has a flaw that’s likely to be repeatedly exposed and fixed in future products. We shouldn’t let this distract us or make us think that  fingerprint biometrics should be abandoned, instead we should ensure that future products and services are designed with this in consideration. If we play to its strengths and anticipate its weaknesses, fingerprint biometrics can add great value to both security and user experience.

What I, and many of my colleagues are waiting for (with bated breath), is TouchID enabled two-factor authentication. By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger.  Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses.

Imagine a banking application where on startup you use a fingerprint for convenience – it’s nice and quick and only needs to ensure the right person has started it. However as soon as you want to do something sensitive like check a balance or transfer some funds we kick it up a notch by asking for a two factor authentication – the fingerprint and a 4 digit pin. This combination is strong enough to protect the user against most scenarios from physical theft through to phishing attacks.

If implemented correctly, TouchID enabled two-factor authentication in enterprise applications could be a good defense against phishing attacks by attackers like the Syrian Electronic Army. You can trick a user into giving up any kind of passcode but, it is much harder to trick a user into giving up his or her fingerprints from the other side of the world.

Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right.

For starters, Apple —can we have two-factor authentication please?

54 comments
  1. Michael Scrip says:

    Great read!

  2. kdarling says:

    Why $1000 of equipment? Cameras scanner printers are not that much.

    PS. It’s “bated breath”. Not baited!

  3. Good work, and great explanation. Perhaps another way of doing two-factor could be to use the front camera and face recognition, or that could be combined for three-factor including a PIN.

  4. While I agree that the methodology you described is indeed complicated, the Chaos Computer Club actually circumvented the fingerprint sensor by just taking a high resolution image of the fingerprint: http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid

    Of course your other points (Thumb rarely touching the phone etc.) still hold true.

  5. (Whoops, you actually mention the CCC method. Well, I guess that’s what I get for commenting before reading the entire thing. Feel free to delete my comments)

  6. enioh says:

    I would agree with you for the average consumer.

    But facing the law, for any reason, It’s harder to make a citizen reveal his password, than forcing him to put his finger on his device.

  7. Volker Birk says:

    That’s just plain wrong. In detail:

    1) Fingerprint security will protect your data from a street thief that grabs your phone.

    Wrong. This is a TOUCH SCREEN, man. And people are HOLDING this phone with their FINGERS. There will be fingerprints on it. And these will be the fingerprints of the girl or guy who owns the phone. To get a clear print, use Photoshop, and 0wn it.

    2) Fingerprint security will protect you in the event you drop/forget/misplace your phone.

    No, it won’t. See 1)

    3) Fingerprint security could protect you against phishing attacks (if Apple allows it)

    Better forget that. It will not.

    Volker Birk
    Chaos Computer Club ERFA Ulm

  8. Alan Goode says:

    Congratulations on a good, rounded, piece of research Marc. Hit the nail on the head with the convenience rather than security. If Apple want to extend the capability to support other services including mobile payments then they definitely cannot rely solely on the fingerprint. That will need the combination of Multi-factor authentication and contextual analysis (risk-based). The phone is the perfect tool to support this.

  9. Robin says:

    I think you’re spreading a too thick layer of glory here, labelling yourself as “the guy who ‘hacked’ TouchID”. The entire planet knows this risk exists with fingerprint scanning. It’s an obvious problem of this tech. You haven’t hacked the actual TouchID hardware, you’ve just lifted and duplicated a fingerprint. Stop putting yourself on a pedestal over this. Enough sensationalism. The world of hacking doesn’t need another Kimble.

  10. exo says:

    Fair enough. I don’t think anyone would really disagree that it’s cool technology and a useful feature. People like to hear stories of white hat hackers defeating consumer security devices, for kicks etc. All good. It’s entertaining stuff!

    I wish my phone had “paint to unlock” with detailed brush strokes recorded to the pattern. Might be a simple stroke, angled slightly with tick at end. I practice it a few times, because the app allows you to practice repeatedly before committing a pattern. I should find a programmer to make this!

  11. Rupert says:

    Why do I need a password on my phone?
    1. If it gets stolen or lost I can be assured my data is safe
    2. From law enforcement (if I get pulled over for speeding or arrested for “disorderly conduct” there is no reason they need access to my work emails, photos, etc)
    3. From snooping/mischevious kids, wives, friends, girlfriends etc.

    The fingerprint scanner only protects from #1, and is worse for 2 & 3 (the police just put my finger on the phone, and my girlfriend just waits until I’m asleep to put my phone on my hand… My overall security has gone down considerably for a modest gain in convenience

  12. Kevin says:

    TouchID was implemented as a convenience feature, not a security feature. This is why it’s used instead of the passcode, not in addition to it.

    That said, for those that need the extra security, there’s no harm in having it as an option.

  13. Ben P says:

    If the replication method requires a certain amount of time, say 3 hours, why not just insist on 2 factor authentication if the fingerprint reader hasn’t been activated after that period?

    I guess the mass market application for TouchID is probably a stolen phone that can then be kept reasonably secure before it it remotely bricked rather than protection against targeted espionage.

  14. Allevate says:

    Is it fallible?
    Yes
    Is it an improvement over PIN?
    Yes

    Can be exploited, but arguably exploiting a PIN is much easier.

  15. Emanuele says:

    Great work man and great explanation!
    Thanks,
    Emanuele

  16. David says:

    Damn guys… you have so much time to waste in life. I’d like to have that much too… That could be sooooo useful.

  17. Marc Hill says:

    To those of you commenting about the CCC method. I think you need to go back to the article and reread it with the update. They describe the exact method given above. Stating that their earlier method was in fact not viable. In fact the wording of the CCC update is so similar to the above that I am surprised that Marc Rogers isn’t the author of the CCC method.

  18. Wesner Moise says:

    You should note that an attacker has a 48 hours window in addition to the five attempts limit before TouchID is disabled and PIN access is required.

  19. Jesse Hollington says:

    “A dedicated attacker with time and resources to observe his victim and collect data” …. could probably be looking over your shoulder at some point while you enter your passcode, thus eliminating the need to worry about bypassing Touch ID anyway.

  20. Jesse Hollington says:

    It’s also worth considering that in some ways Touch ID — or even your passcode — actually is a two-factor authentication system. The device in your hand — the thing you have — is the second factor.

    Remember that there’s a world of difference between authentication requirements for a device that is almost always on (or at least relatively near) your person and an online service that can accessed by anybody with a web browser.

  21. Michael Ellis Day says:

    At risk of being called a prescriptive grammarian about this, I wince every time I see this exploit referred to as TouchID being “hacked.” TouchID has been “spoofed” but not yet hacked. You’ve convinced an identification system that you’re someone other than you actually are — that’s spoofing. If someone accessed the data stored on chip inside the iPhone and used that to extract fingerprint info, that would be hacking. Now, if someone goes to an unattended computer, finds the user ID and password written down on a slip of paper in the drawer, and uses this to log on to someone else’s account, is that hacking? If someone uses a stolen social security number as ID over the phone, is he or she a hacker? The mass media is extremely sloppy about using “hacking” to mean “any unwanted access to a system” and this only fosters unnecessary confusion and hampers real education about security issues. Let’s not be that person.

  22. Steve says:

    Apple could offer a pro option: Require three fingers in a certain sequence. That’s 720 possibilities, not counting toes.

  23. Ivan Johnson says:

    My wife asked, “Couldn’t you just wait until they’re asleep and then use their finger to unlock the phone?”
    Not that *I* would want to hide what’s on my phone from her indoors, but that seems a lot easier than typing in a PIN when you’re unconscious…

  24. After seeing the whole process my main problem I have with that hack or spoof was verified: In a real life situation I assume it won’t be that easy to find that “perfect” fingerprint they used (especially not on an iPhone glass).

    So you have to find that one and be sure that it is indeed the right finger. If one of the two is wrong you may use up your 5 attempts quite fast … and then “game over”!

    Not counting mistakes you may make during the process and destroy the print.

  25. Jeff B. says:

    Yeah, I think the solution is to enable a combined Passcode option. And it would be great to see some granularity there. For example, Apple could issue an Auth API wherein developers could require Fingerprint only, Passcode only, both, or Passcode after a certain time elapsed, or for a certain window of time, etc. I suspect this is what they are doing, and more with iCloud Keychain. Because like the API in 2008, the real win is to make this very solid, and then to open it up to a broad array of third party developers that can give us all manner of payment, banking, ticketing, security/ entrance protection, web password management, etc.

    There’s only one company in the world with the right balance or dedication, User Experience throughfulness, engineering talent, back end resources, and overall thoughtfulness in privacy to really solve these large scale problems.

    Go Apple! Bring us the ubiquitous, universal, authentication token/API.

  26. Phil says:

    I couldn’t agree more. Touch ID is sufficient for unlocking and some applications, but sensitive information should require 2 forms of ID.

    I think Apple will use 2 factor authentication if they move to mobile payments. This would be a very secure way of making payments. Billions in credit card fraud could be eliminated.

  27. Xavier says:

    So but this is all rediculous. 50% of ppl don’t lock their phones. for the access required, yes, it would be easier to just wait till the person was asleep. if you had that kind of access, you could already rob their house.

    But i am disappointed that Apple didn’t properly test this. They were ready to use this for payments but after this good luck.

  28. Mike says:

    I think Apple should just give us options to customize when a password is required. I would be happy if I could choose 3 tries and 60min (instead of 5 and 48h).

  29. YOGI CAT says:

    THIS IS STUPID.

  30. “Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about.”.
    Lots of people are calling for “perspective” and playing down the importance of these ‘hacks’ but here’s the thing: the demonstrations might not be a worry to the consumer but they should be a massive worry for security and risk management professionals. This fingerprint technology is something that’s being seriously touted for payments!
    The ‘hack’ and the ad hoc responses that TouchID is still “good enough” actually shows how biometrics practice falls short of professional security norms. Apple released TouchID with no security specs, no standards, no test results, no independent evaluation … just an anecdote that a dead finger wouldn’t activate the sensor. Really? Then they go to ground while the device is attacked and the myths debunked. Still no comment from Apple.
    The truth is that there are no methodologies for testing in-field performance of biometric security, nor their ability to withstand concerted attack. And there is no standard for “liveness detection” — it’s just a magic property that vendors feel ok to brag about with no substantiation. Meanwhile, consumers get most of their understanding about biometrics from sci-fi movies.
    Consumer biometrics are all about convenience not security. Which would be fine if the manufacturers were honest about it.

  31. cheng says:

    “But i am disappointed that Apple didn’t properly test this. They were ready to use this for payments but after this good luck.”

    As Marc already said, the answer is a two factor authentication, a banking app can require both your finger and a password before it authorises payment.

    Granted, at first I also thought that Apple could change banking as we know it by using only our fingerprint as a password. However even if that dream has been dashed, at least scams that steal your password such as phishing can still be eradicated.

  32. “But i am disappointed that Apple didn’t properly test this”

    Agree, that’s the point I am wondering most. This should have been the obvious test for Apple and the Biometric-Company they recently bought.

    On the other hand – if they tested this and knew it could be hacked that way – they could have advertised it differently.

    I think it’s still one of the most developed fingerprint scanner for the consumer area and for a lot of businesses (exclude high security firms and areas) … but they gave an impression for the first two weeks they couldn’t keep up with. Unfortunately this may hurt this in general great product unnecessarily,

  33. David says:

    Fingerprint experts in a John le Carré novel? Never! Far more Ian Fleming. Tradecraft is not CSI.

  34. Yuri Vlanovich says:

    Nice to see Apple PR and Lawyers working. “Write it again Sam” (:

  35. Andy Durdin says:

    “Fingerprint security could protect you against phishing attacks (if Apple allows it)”

    That’s a far out claim. How can the user’s fingerprints enable the user to distinguish between a bank’s real site and a fraudulent imitation? Can you elaborate?

  36. Alex Szczepaniak says:

    Take the cloud to the next level (ubiquitous high-speed transfer) and the gadgets are merely stylish shells – swipe your finger across any “shell” and your preferences and apps all there – in a hotel room, on a bus, in your neighbors house, in the Virgin Airline seat. All it requires is the 2nd factor verification. Battery dead? Need to make a call, borrow your buddy’s Iphone 9 and swipe your finger and get temporary access to all your “cloud opted” apps: e-mail, contacts. The long view is exactly this: Apple takes Google Chrome to the next level with a whole line of stylish, high-performing shells and cloud that binds them all with two factor finger-swipe access thru any apple device. If you want to lug your 4TB flash drive around with on your device, its there… but why bother if the hotel your are staying at is Apple-enabled….

  37. William Ferris says:

    Actually the 2 banking apps that I currently use to access my accounts already use 2nd factor verification even if that was not the original intention. One pin to unlock the phone (yes, I do use a pin to unlock) and another password to gain access to my banking information.

    So for any thief to access my bank information using my phone they would need both my PIN or Fingerprint and my various passwords.

  38. Derek says:

    They continually state that we leave fingerprints everywhere, and that is what makes TouchID so easy to hack, but…

    Ignoring that most people have their iPhone on their person 99% of the time, I’m genuinely interested in whether or not they can back up their claim of TouchID’s insecurity.

    To prove their point they need to answer several directly related questions…

    • Is Chaos willing to post a video where they lift a print from a different surface, say, a pop can? A doorknob? A car key?

    • Can they post a video outlining how they would go about stealing the iPhone, however briefly, to impose the hack?

    • Can they rate the security of this authentication on a scale with other passcode hacks, on both iOS and Android devices, where you can easily find & follow step-by-step instructions?

    • Can they offer a, ease-of-use comparison of this with software-automated hacks of Android’s disc encryption?

    • Can they post the total cost of this technique and at what point, in their educated opinion, the average consumer draws his budget?

    • Most importantly, given that 30-50% of all smartphone users (not just iPhone users) do not secure their devices, can Chaos give any feedback as to how good or bad TouchID *really* is for average users (which make up most of the market)?

  39. marc says:

    > Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.

    In other words…its less complicated than lock picking.

    > First you have to obtain a suitable print.

    As demonstrated in the video, if your fingerprint is not enrolled, you can try logging in after you fail, you’re taken to a screen where you can type in a PIN.

    My take away on the iphone 5s? Sooner or later there would have been an external finger print reader that you connect to the phone and it does the authentication. Only difference is that this gimmick would be “as seen on TV” with an infomercial.

    Now that this is included with the phone, many people like it.

  40. NUKLEAR says:

    These are just software flows as far as i see..!
    Hardware alone with such a great technology could bring a thousand new updates, features & tight privacy in future..!
    Wait for it!
    As always, Apple innovates, refines & others follows!

  41. sepatu original says:

    It’s going to be finish of mine day, except before
    end I am reading this enormous post to increase my experience.

  42. mxtplx says:

    We might also divide potential crimes into two categories: crimes of opportunity, and identity theft. The latter is rare and difficult to pull off, but provides a potential long-term benefit, but one that can be obviated with dual authentication. The former is far more common, and four-digit passwords observed, or a credit card and ID stolen, is still the more likely route. Four-digit passcodes are weak, but almost all banks use them for debit card transactions. However weak Apple’s TouchID is, it’s far more complex than four-digit codes, and it is very difficult to copy the fingerprint, or to grab (and use) its coded signature. Unless you are a very famous and/or rich person, it’s highly unlikely that someone will spoof your fingerprint.

  43. Carla says:

    Hi just wanted to give you a brief heads up and let you know a few of the pictures aren’t loading correctly.
    I’m not sure why but I think its a linking issue. I’ve
    tried it in two different web browsers and both show the
    same outcome.

  44. Lorenz Mueller says:

    The fact that Apple allows 5 transaction attempts before a PIN is requested is easy to explain by the intrinsic faults that every biometric system has. When you chose a threshold for the matching of a probe with a stored reference then there always will be two types of remaining errors (remember FP recognition is a measuring process):
    – the FMR (False Match Rate) indicating the rate of false fingers which deliver a probe that would be so similar to the probe that it is accepted in the comparison process and
    – the FNMR (False Non Match Rate) indicating the rate of right fingers which deliver a probe that is too different to be accepted in the comparison process
    When you now allow several attempts (and one can assume that the remeasuring of a fingerprint probe is quite independant from a previous attempt) then the two errors rates behave quite differently:
    – the FAR (False Acceptance Rate) describing the probability that the recognition protocol allowing N recognition attempts accepts a foreign finger results approx to FAR = N * FMR but on the other side
    – the FRR (False Rejection Rate) describing the chance that the recognition protocol allowing N recognition attempts refuses N times in a row a correct finger results in FRR = FNMR^N
    For small values of FMR and FNMR (as they should be anyway) only this difference in behavior (linear growth of the FAR against exponential reduction of the FRR) makes a biometric system like FP recognition at a very large distribution usable. Imaging that in a few percent of your daily usage of the fingerprint you have to unlock your phone with the additional PIN. This would happen to zig thousend persons every day, it would spread around that the TouchID does not work properly and very soon people would discard this gadget from their phone. So it makes sense for Apple and for the user that the number of attempts before the PIN has to be entered is sufficently high that in normal usage it almost never will happen that you are rejected by the device when you unlock it with your own finger. The small chance that a foreign user is just lucky with one of his five attempts is just marginally higher.

  45. sam Mullins says:

    Major communication businesses, internet security providers, social websites, even manufacturers whom had vulnerabilities increase customer protections: those in charge not being trouble; but instead trouble comes from them wanting to be in charge including charge of themselves. Fixed when gaining everyone’s help becoming in charge of my life like appropriate constituent, as apparently their best self-interest. Afterwards only child-proofings such as your finger-print safe-guards should be sufficient.

  46. Michael Fleet says:

    Marc,

    Apple has published a KB article addressing TouchID security, and how fingerprints are stored:

    http://support.apple.com/kb/HT5949

    It isn’t very technical, but says: “Touch ID does not store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn’t possible for your actual fingerprint image to be reverse-engineered from this mathematical representation. iPhone 5s also includes a new advanced security architecture called the Secure Enclave within the A7 chip, which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of A7 and as well as the rest of iOS. Therefore, your fingerprint data is never accessed by iOS or other apps, never stored on Apple servers, and never backed up to iCloud or anywhere else. Only Touch ID uses it and it can’t be used to match against other fingerprint databases.”

  47. Marie Kris says:

    Hacking can be so threatening, because we don’t want to invade our privacy. But still there are ways of hacking that are useful and legal. So we must know how and when we must probably take an action to it. Mind visiting my site? Thanks!

  48. AJ says:

    Agreed Michael Ellis Day. Thank you for that

  49. mariam says:

    I lost my iPhone but im using fingerprint lock,, but I am worried about it. they can unlock my iPhone even I have fingerprint?

    • Meghan Kelly says:

      Don’t panic, it’s very difficult to pull off this attack. They would need access to your fingerprint and then they’d need to create the fake fingerprint from that! These are likely going to be much more targeted attacks.

  50. Ron says:

    When are you going to hack the iPhone 6s with Touch ID 2 ? Thanks

  51. Mark says:

    A couple years later, but why not? Currently iOS 9.1 requires the fingerprint AND at least a six digit passcode. Even if you get in with a faked fingerprint, the passcode is required to access any vital data AND your Apple ID is needed to turn off Find My iPhone. Also after a few tries the gaps between entering the correct passcode get longer and longer – all the while the iPhone is broadcasting its location, unless the phone is set to brick itself after ten failed attempts.

    Criminals, that knock on the door you hear is the police who used Find My iPhone to track you down whilst you were busy fussing with fingerprints, passcodes and passwords.

  52. Adisa Madison says:

    Brilliant article, you are a life saver I needed just this information. Am currently using reflector now and find it great!

Leave a comment