By Jim Karpen on Thu, 09/26/2013
The Touch ID fingerprint sensor on the new iPhone 5s has been well received. Apple says that half of smartphone owners don't use any security at all, so Touch ID should provide greater security just by making it easier for people to restrict access without having to go through the step of a passcode. But fingerprint sensors have been shown in the past to be vulnerable, and the day after the iPhone 5s was released, a group of hackers in Germany claimed to have defeated Touch ID security. (See the video below.) But it's not easy, and it's unlikely that most bad guys would go to this much trouble.
Here's how they describe the steps necessary to perform this hack:
First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
This description doesn't make clear that the hacker puts the latex sheet on his finger, then touches the sensor, as the video shows.
The video first shows the unauthorized person touching the home button and nothing happening. Then it shows him applying the prepared latex film to his finger, which then unlocks the device. This successful hacking also shows that in order to break in, a real finger is needed. The sensor can actually tell if what it's seeing is an image of a finger or a real finger. But in this case, it's a real finger that has the image of the authorized person's fingerprint superimposed upon it. Of course, one can't be sure the video isn't faked, but since this is a known hack that has been used in other instances to defeat this type of security, it's believable.
You can read more about it in the blog of the hacker group, called Chaos Computer Club.