Touch ID Cracked, Requires Complex Steps and Sophisticated Technology

There's a new talk about hacking biometric logins that's been published by the Chaos Computer Club. This is a European hacker group holding its annual Chaos Communication Congress event this week. At the event, starbug (aka Jan Krissler) gives a talk where he successfully uses photographs to crack passwords, uses latex to foil a fingerprint scanner to log in to Windows, and finishes by creating a representation of his own fingerprint to log in to an iPhone using Touch ID.

Here is the big thing to know about the talk: Lots of authentication mechanisms that seem pretty secure actually aren't that secure in some cases.

With readily available photography equipment and a decent printer, it is possible in some cases to fool a facial recognition scanner. It is also possible, with the same photo, to zoom in on the light reflected in the pupil of an eye and get a good enough look at the screen and their fingers to guess one of the digits being entered on a screen or keypad. If you can manage to shoot a photo for each instance of the entry, you could make a pretty good (about 90% on the first try) guess at someone's super secret code. A photo (or two) of a finger using the same technology, cleaned up and transferred from the image to what appears to be latex, enables logging in to someone else's Windows machine that employs a fingerprint scanner.

Near the end, starbug shifted his focus to Apple. He placed his iPhone on a high-end flatbed scanner and scanned the screen, picking up a clear fingerprint. He then transferred that print to tracing paper, used the tracing paper to etch the print to a PCB (printed circuit board), then sprayed it in graphite, covered that in wood glue, and finally cut out the print and on the third try was able to use that print to unlock the iPhone via Touch ID.

In the video it is mentioned that you can do this in your kitchen and it is portrayed as something common. However, if you look at the instructions for how to etch a circuit board, you'll see you need to have hydrochloric acid and straight acetone laying around in your kitchen, and unless you're Walter White, I'm pretty sure the odds of these things being under the sink are slim.

Additionally, it's more notable that the (far more common) facial recognition/pupil photos and Windows login fingerprint scanners are pretty easily bypassed, and yet it took a lot more steps to create something that fooled the Touch ID scanner. Also, all of these hacks are predicated on physical access to the device and managing to guess it on the first three tries (after that it's passcode only). If Touch ID won't let someone in, using even a 5-digit passcode can keep someone out of your device long enough for you to wipe the device remotely.

Touch ID still works well and makes things more secure. It's pretty unlikely someone could go through the work needed to get a fingerprint and duplicate it to get into a phone before the owner realized it was gone and wiped it. Hacking Touch ID has been shown to be possible before, but again it took so many steps most people don't want into an iPhone that badly, or are able to get in before it's flatlined.

It is OK use Touch ID and a long passcode, and do what you can to secure your phone while out and about, and for most people is more than adequate. So don't worry too much about this right now. Unless it gets dramatically easier, it's pretty unlikely to happen to you.