A day after the iPhone 5S hit the streets, a group of hackers in Germany said they have bypassed the biometric security on Apple's new Touch ID fingerprint sensor by using "easy everyday means."
The Chaos Computer Club announced late Saturday that it defeated the security system by photographing an iPhone user's fingerprint from a glass surface and using that captured image to verify the user's login credentials. The Touch ID sensor, which resides under the home button of the iPhone 5S, can replace the four-digit passcode to unlock the handset and authorize iTunes Store purchases.
"This demonstrates -- again -- that fingerprint biometrics is unsuitable as access control method and should be avoided," the group wrote in a blog post detailing its bypass:
First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," Chaos Computer Club spokesperson Frank Rieger said in a statement. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."
That blunt assessment echoes the critique of iPhone 5S security put forth by US Sen. Al Franken. "If someone hacks your password, you can change it -- as many times as you want. You can't change your fingerprints. ... And you leave them on everything you touch; they are definitely not a secret," the Minnesota Democrat wrote, in part, in a letter to Apple CEO Tim Cook dated Thursday. "Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life."
The Touch ID system isn't a pure replacement for the more traditional passcode. "If you restart your iPhone, or turn it off and on, or don't use it for 48 hours, it'll ask for your passcode again before allowing fingerprint recognition," Scott Stein wrote in CNET's review of the iPhone 5S. That's potentially useful as an extra deterrent for would-be fingerprint thieves, but it proved a little quirky over a week of use. I never knew when the 5S might insist I enter my passcode again."
CNET has contacted Apple for comment and will update this report when we learn more.
It wasn't immediately clear if the group would lay claim to a bounty of more than $16,000 that is being offered to the first person who could hack the fingerprint sensor. IsTouchIDhackedyet.com -- the brainchild of independent security researcher Nick DePetrillo -- said on its Web site that it was waiting for the group to upload video of the process before declaring the Chaos Computer Club the winner.
In addition to cash, the winner has been promised a free application from CipherLaw to patent the hack; several bottles of alcohol including Laphroaig, Maker's Mark, Argentine wine, Patron Silver, and Bulleit bourbon; a "dirty sex book," and an iPhone 5C.
The group's demonstration video:
(Via The Verge)
Updated at 1:30 p.m. PT with uploaded video.