September 23, 2014

Why I hacked TouchID (again) and still think it’s awesome

Last year, when the iPhone 5S was released, I showed how you could hack its fancy new TouchID fingerprint sensor. A year and one iPhone 6 later, I’ve done it again.

When the iPhone 6 came out the first thing I wanted to find out was whether or not there had been any changes to the TouchID sensor. I had little expectation that the TouchID sensor would be completely secure, but I hoped at least that there would have been some improvements.

iPhones, fake fingerprints

So I set about creating some fake fingerprints using the same technique that I used to hack TouchID on the 5S. Once the fingerprints were ready I tested them against both devices.

The results

Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices.

Furthermore there are no additional settings to help users tighten the security such as the ability to set a timeout for TouchID after which a passcode must be entered. In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part. How do I know this? Well, during my testing I noticed that I got far less “false negatives” with the iPhone 6 (false negatives are where the device rejects your legitimate fingerprint). However, it’s likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your fingerprint to improve reliability.

Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device.

Conclusion

Just like its predecessor — the iPhone 5s — the iPhone 6’s TouchID sensor can be hacked. However, the sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual. I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.

The fact that Apple has tweaked the TouchID sensor a little bit means that they are working to improve things, even if those changes are primarily focused on making it easier to use. As it stands, TouchID remains an effective security control that is more than adequate for its primary purpose: unlocking your phone.

Lockpicks and fake fingerprints

That said, I can’t help but be a little disappointed that Apple didn’t take this chance to really tighten up the security of TouchID. Especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments. Convenient authentication for transactions is a great thing that could both improve user experience and security. However, it also brings attention from people looking to exploit those transactions and more transactions means more incentive. If Apple is not careful they could solve one problem but create another.

23 comments
  1. John Smith says:

    You start the article by saying that Touch ID hasn’t been improved and then go on to mention ways that is had been improved. I think you need to distinguish between improvements and whether or not your hack still works.

  2. Lance says:

    Have you tried to “hack” the fingerprint scanner on Huawei Mate 7 yet? Different sensor supplier (swedish company called FPC) than for Iphone (Authentec) and Samsung (Synaptics) so it would be really interesting to see if they have succeeded better with liveness detection.

  3. Furutan says:

    I’ve always been curious as to why someone will figure out how to hack security and then put it up on the web so that they can teach crooks how to rip people off. There’s a line between showing of one’s cleverness and abetting a crime. Pick a team.

  4. Clegg says:

    So all someone has to do is steal my phone (without me noticing and using find my iphone to locate it or wipe it), lift a good copy of my fingerprint, and make a clone of that fingerprint that is correctly proportioned, correctly positioned, and thick enough to prevent their real fingerprint coming through to confuse the sensor. What an outrage!!

  5. Yea says:

    Hi Lookout,
    I can’t clear your notification: “activate Lookout today to protect your device” from my notifications bar.
    That needs to happen before anything else.
    So please make it happen.
    Maybe if I just uninstall?

    • Meghan Kelly says:

      Hi there, sorry to hear you’re having issues. Please email our support team and include the email address associated with your Lookout account? support [at] lookout [dot] com

  6. jim says:

    How long does the process take from start to finish, best and worse case scenario. This sort of time to cloned print would be useful to know so that we can set our own app’s touchID expiration timers appropriately so that it’d be unlikely to be compromised in time before it expired.

    I’d presume 30-60 mins, but it’d be good to hear from you what you think the estimates are for your own workflow.

    Cheers

  7. Anon says:

    this is such a non-issue. What are the odds of a phone thief also copying your fingerprint with this complicated method?

  8. jmmx says:

    There are interesting remarks on this site (which now refers back to this blog) on the topic. While different emphasis – we seem to agree.

    https://jmmxtech.wordpress.com/2014/09/27/fingerprint-hack/

  9. Tom August says:

    I’ll bet you can’t do it with the Huawei touchsensor. It’s much better than Iphones.

  10. LUIS RICARDO RIVERA says:

    El dia 09.29.2014 se me extravio el telefono y les informe a uds. de ese acontecimiento para buscarlo a travez de su sistema no obteniendo los resultados esperados.Al dia siguiente 09.30.14 afortunadamente lo encontre y como Ya lo habia desactivado llame a mi compania que me da el Servicio (MEtro PCS) para que me lo volviera a activar.Una vez que lo activaron todo estaba perfecto todos los contactos ,mensaje, fotos etc. estaban en su lugar,pero como a las dos horas me llega un mensaje de Uds, que estaba bloqueado..asi que busque una computadora entre a su pagina y lei el codigo de desbloqueo..pero ohh sorpresa desde alli todos mis telefonos ,fotos y demas se borraron..causandome una gran tristeza y malestar..es por eso que les solicito tengan la amabilidad de ayudarme a recuperar la informacion perdida por ser de mucha importancia para mi.El telefono es ..les estare eternamente agradecido si logran poder recuperar esa informacion…muchas gracias y quedo a la atenta respuesta de uds.

  11. Bob Norfleet says:

    I just downloaded this app to my iPhone4 at the encouragement of a neighbor. I tried several times to get the Lookout system to locate & send a “scream” before I finally got the scream on my phone which was in another room on the other side of my house from my iMac. When I tried to do it again to demo for my son, it did not work. Lookout reported that it could not locate my phone which was “on” and in “vibrate only” mode. This app needs some work. I’ll keep the app because it is free and in hopes that if I ever need the service it will be better than today!

  12. In 1999 I patented the idea of a constantly changing password derived from the user’s fingerprint. It was highly touted by the NSA and is available for licensing today. In 1999 I also was informed about 2% to 4% of Americans cannot be reliably fingerprinted at all. This equates to about 7 million persons in the US today. Therefore I patented a mm-wave device that scans your cranium which is spoof proof and operates in total darkness even if the user is wearing a ski mask to cover their face and hide their identity!

    • Jay says:

      Whoa, that sounds awesome. So, this reads a person’s specific brainwave signature? Can you identify and track someone from a distance? If so, what’s the maximum range do you reckon you could track someone at with it?

      Btw, you sound like a frikkin genius 🙂

  13. Jids says:

    Hi Marc, I am curious if you were able to hack Samsung Galaxy S6 yet like you hacked S5. Thanks!

  14. peter says:

    Thanks for doing this. While this probably doesn’t affect the average citizen it does seem like important information to consider for those who have more sensitive data on their mobile devices.

  15. Cody says:

    Did you try this on the iPhone 6S yet? It’s supposed have an even better sensor. According to Apple the finger being used has to be living, not dead. It’s supposed to read past the subdermal layers and read capillary blood vessels. Did you test this using your own fingerprint on your own device? If so this was an invalid test. You should have been copying someone else’s fingerprint and attempting to access an iphone they’ve locked with their fingerprint. This way if the sensor is really reading your capillary blood vessels it’s not just correctly guessing it’s still you….

  16. Get hacked all of the time the last two years . it sucks.

    • Meghan Kelly says:

      Hi Thomas, sorry to hear. If you think you’ve been attacked via mobile, please feel free to reach out to our security team: malware [at] lookout [dot] com

    • Huzaifa says:

      Hi Thomas,
      How did you get hacked multiple times? Can you please elaborate a little?

  17. What would you say if a bank would use Touch-ID for initiating and clearing money transfers in their app(s) regarding your knowledge about Touch-ID security?

  18. Huzaifa says:

    Did you do this with the iPhone 7 too?

Leave a comment