| Individuals September 23, 2014


September 23, 2014

Why I hacked TouchID (again) and still think it’s awesome

By Marc Rogers

Last year, when the iPhone 5S was released, I showed how you could hack its fancy new TouchID fingerprint sensor. A year and one iPhone 6 later, I’ve done it again. When the iPhone 6 came out the first thing I wanted to find out was whether or not there had been any changes to the TouchID sensor. I had little expectation that the TouchID sensor would be completely secure, but I hoped at least that there would have been some improvements. iPhones, fake fingerprints So I set about creating some fake fingerprints using the same technique that I used to hack TouchID on the 5S. Once the fingerprints were ready I tested them against both devices.
The results
Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices. Furthermore there are no additional settings to help users tighten the security such as the ability to set a timeout for TouchID after which a passcode must be entered. In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part. How do I know this? Well, during my testing I noticed that I got far less “false negatives” with the iPhone 6 (false negatives are where the device rejects your legitimate fingerprint). However, it’s likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your fingerprint to improve reliability. Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device.
Conclusion
Just like its predecessor -- the iPhone 5s -- the iPhone 6’s TouchID sensor can be hacked. However, the sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint -- any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual. I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats. The fact that Apple has tweaked the TouchID sensor a little bit means that they are working to improve things, even if those changes are primarily focused on making it easier to use. As it stands, TouchID remains an effective security control that is more than adequate for its primary purpose: unlocking your phone. Lockpicks and fake fingerprints That said, I can’t help but be a little disappointed that Apple didn’t take this chance to really tighten up the security of TouchID. Especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments. Convenient authentication for transactions is a great thing that could both improve user experience and security. However, it also brings attention from people looking to exploit those transactions and more transactions means more incentive. If Apple is not careful they could solve one problem but create another.

Author

Marc Rogers

Leave a comment

Submit


18 comments


Huzaifa says:

September 28, 2016 at 4:08 pm

Did you do this with the iPhone 7 too?


Roman Brendel says:

June 24, 2016 at 6:46 am

What would you say if a bank would use Touch-ID for initiating and clearing money transfers in their app(s) regarding your knowledge about Touch-ID security?


Thomas Cooper says:

May 02, 2016 at 8:05 pm

Get hacked all of the time the last two years . it sucks.


Meghan Kelly says:

May 06, 2016 at 3:16 pm

Hi Thomas, sorry to hear. If you think you've been attacked via mobile, please feel free to reach out to our security team: malware [at] lookout [dot] com


Huzaifa says:

September 28, 2016 at 4:07 pm

Hi Thomas, How did you get hacked multiple times? Can you please elaborate a little?


Cody says:

January 14, 2016 at 12:01 pm

Did you try this on the iPhone 6S yet? It's supposed have an even better sensor. According to Apple the finger being used has to be living, not dead. It's supposed to read past the subdermal layers and read capillary blood vessels. Did you test this using your own fingerprint on your own device? If so this was an invalid test. You should have been copying someone else's fingerprint and attempting to access an iphone they've locked with their fingerprint. This way if the sensor is really reading your capillary blood vessels it's not just correctly guessing it's still you....


peter says:

August 25, 2015 at 5:43 pm

Thanks for doing this. While this probably doesn't affect the average citizen it does seem like important information to consider for those who have more sensitive data on their mobile devices.


+ Load more comments