Last year, when the iPhone 5S was released, I showed how you could hack its fancy new TouchID fingerprint sensor. A year and one iPhone 6 later, I’ve done it again.
When the iPhone 6 came out the first thing I wanted to find out was whether or not there had been any changes to the TouchID sensor. I had little expectation that the TouchID sensor would be completely secure, but I hoped at least that there would have been some improvements.
So I set about creating some fake fingerprints using the same technique that I used to hack TouchID on the 5S. Once the fingerprints were ready I tested them against both devices.
Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices.
Furthermore there are no additional settings to help users tighten the security such as the ability to set a timeout for TouchID after which a passcode must be entered. In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part. How do I know this? Well, during my testing I noticed that I got far less “false negatives” with the iPhone 6 (false negatives are where the device rejects your legitimate fingerprint). However, it’s likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your fingerprint to improve reliability.
Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device.
Just like its predecessor — the iPhone 5s — the iPhone 6’s TouchID sensor can be hacked. However, the sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual. I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.
The fact that Apple has tweaked the TouchID sensor a little bit means that they are working to improve things, even if those changes are primarily focused on making it easier to use. As it stands, TouchID remains an effective security control that is more than adequate for its primary purpose: unlocking your phone.
That said, I can’t help but be a little disappointed that Apple didn’t take this chance to really tighten up the security of TouchID. Especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments. Convenient authentication for transactions is a great thing that could both improve user experience and security. However, it also brings attention from people looking to exploit those transactions and more transactions means more incentive. If Apple is not careful they could solve one problem but create another.