Chaos Computer Club First to Hack Apple Touch ID

The CCC member credited with the experiments, Star Bug, that led to the hacking (video here) explains in a statement on the CCC website that the increased security built into Apple's Touch ID involves little more than a higher resolution than the majority of fingerprint sensors. "So we only needed to ramp up the resolution of our fake", he said.

The process used involved everyday materials that many people already have to hand or can easily obtain. "First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting," explains CCC. After that it is simply involves creating a mold of the fingerprint using pink latex milk or white woodglue; and applying it to the sensor.

The group has an ulterior motive beyond simply being able to say, 'We hacked Apple'. "It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. He goes so far as to suggest that biometrics "is fundamentally a technology designed for oppression and control, not for securing everyday device access."

You can easily "be forced to unlock your phone against your will when being arrested," says the statement. "Forcing you to give up your (hopefully long) passcode is much harder under most jurisdictions than just casually swiping your phone over your handcuffed hands."

Paul Ducklin points out that in many cases neither a 'stolen' and forged fingerprint nor the user's coerced physical presence would be necessary. "Additionally," he writes in Naked Security, "(in many countries in the post-9/11 world) many of us deliberately, often unavoidably, have allowed the authorities, our employers and even businesses such as banks to take high-quality copies of our prints, and to keep them pretty much for ever."

But the CCC hack was not the only one to be publicized over the weekend. Marc Rogers (@marcwrogers), director of SecOps at DEF CON and a principal security researcher for Lookout, published a video of his wife using his fake fingerprint to access his iPhone. "With the exception of a couple of minor tweaks everything I did came from Matsumoto's 2002 research," he tweeted yesterday. "I made a fake finger from mold (to prove it could be done) then prints using Matsumoto's PCB technique," adding "Do I get any prizes for second place?"

What’s hot on Infosecurity Magazine?