In a rather nervous video and associated blog post, Chaos Computer Club appears to demonstrate how they can get through Touch ID by taking high-resolution photographs of a fingerprint. Ironically, they claim the hack can be completed with “materials that can be found in almost every household” then go on to say that a 2400 dpi resolution photograph of the fingerprint must be used.

The group claims that Touch ID was only a little bit more difficult to get through compared to other fingerprint sensors, since the iPhone 5s’ scanner is extremely high-resolution. They go on to state that fingerprints should not be used as a secure method of authentication since they are left on so many surfaces and can be picked up very easily.

A large, crowdfunded bounty was created to reward the first group to “crack” Touch ID. In this case, CCC is using conventional methods rather than software cracking, but the video proof makes a solid case that it is effective. The chances that someone will be able to take a 1200 dpi photograph of your fingerprint without your knowledge, however, is slim.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

64 Responses to ““Biometrics hacking team” uses photographed fingerprint to get past Touch ID”

  1. It is true, that it is very unlikely that someone would get such a shot of your fingerprint but it is very easy to use wood glue and tape to get a fingerprint left on a glass or other flat surface.

    Like

    • You should not forget that there are many potential fingers to check. In addition the iPhone will revert to a predefined passcode, if the TouchID has failed 5 times. So I guess bad odds, even if you have wonderfull fingerprints of all 10 fingers available ….

      Like

  2. Bob G says:

    But it would be very easy for someone who has stolen your phone with your fingerprints all over it to dust them, put the phone on a scanner and print the resulting scan. If true, this could be very troublesome.

    Like

    • davespirit says:

      It really wouldn’t be that easy … and I guarantee you that no one you know would give a s**t enough to bother trying ;)

      Like

    • You can’t just “put the phone on a scanner” and print it. Most office printers don’t print above 1200 dpi, and that’s even if you have a scanner that can do 2400dpi. Not to mention paper inconsistencies, etc. Add in trying to get a clean scan of the fingerprint, highly unlikely unless you have high end tools. Even so, I agree this is a little troublesome. Though at this point I don’t think someone with the skill required is going to put the effort in just to get into personal files of 99% of the population; at least until fingerprints are used for payment methods.

      This also brings up the question, is this any more difficult/easier than snatching someone’s wallet and using their credit cards for online shopping?

      Like

    • Jay Robinson says:

      A motivated thief could conceivably lift your fingerprint off the phone if the phone had been cleaned and then used very briefly. Overlapping, smudged or incomplete prints are useless. So we have to envision a scenario where the culprit steals the phone once to clean it, gets it back to you briefly, and then steals it again, hoping you’ve placed a police-booking-quality print of the correct finger somewhere on the glass.

      Like

  3. I guessed it would be less than two weeks before this happened. mass produced fingerprint scanners are easy to phreak.

    Like

  4. I’d like to see them do that without the photo being stuck to his finger. The sensor detects (in addition to the finger print) a live finger with a pulse. It’s not just a matter of having a photo.

    Like

    • Exactly. Prove it by not using your finger at all. And that thing he ‘popped’ out did not look like a photograph of his finger.

      Like

    • Agreed. . . or at least a finger that was not one of the other 4 programmed before the video started. Shouldn’t they verify, then report?

      Like

      • at 0:34, when he’s finished registering his finger, the screen goes back to the settings where you can see there is only one finger registered.

        Like

      • @ Gary Higginbotham. For someone without scruples, $10,000 is a nice motivation. Nearly anyone could spoof a pretty good iOS screencast / video. Back in March of this year David Pogue recommended Airsquirrels’ Reflector app, which now mirrors iOS 7 on iPhone 5s to your Mac or pc. Just put the video on the phone, press play, start your Starbucks inspired “documentary” and tap your finger on the home and power buttons in sync. The real point here is that a suspicious youtube video (positioned to show two perfect fingerprints in grease on the surface of the phone itself) proves nothing. We want to see a credible source (i.e. Cnet, Macworld or 9to5mac staff ) duplicate the entire process on video for us — before jumping on the “look-how-easy-this-is” bandwagon.

        Like

  5. Should sell a heckava lot of “printless” iPhone case, eh? … Going on Kickstarter right now …

    Like

  6. kbuck1084 says:

    It’s not that easy to lift prints without messing them up in some way. It find and lift a print without corrupting it to the point the scanner doesn’t recognize it isn’t a walk in the park.
    I’d go out on a limp and assume that it’s easier to type in the most common 4 digit passwords than find, lift, print a high resolution fingerprint.

    Like

  7. Mani Gutau says:

    Buy yourself the most expensive lock, vault etc… Someone can copy your key, hack your code. Yes, even your fingerprint. There is no “perfect security” system, or at least not with only one alternative to gain access. Guess the focus should be on a different matter. Touch ID is a faster, simpler and much safer alternative to “current” security systems. My point is we should appreciate a security system for decreasing the chances to gain access to our information, in comparisson with other products, and Touch ID is simply the smartest, fastest and safest idea on the market, from this point of view. 1200 dpi copy of your fingerprint vs a new set of keys ? Guess I’ll go with Touch ID.

    Like

  8. It is now time to scrap Find My iPhone for Find my Fingerprint

    Like

  9. Well, it seems that the next big security feature should be eye scanners…

    Like

  10. TouchID may not be 100% secure but I’d say there’s less chance of someone doing this to access your phone/iTunes account than there is of them seeing you enter your PIN/password and using that

    Like

  11. Cody Frisch says:

    Was this the only finger setup on the device or was his middle finger already setup? Can we determine for sure that the sensor is incapable of reading through a thin layer of certain materials between the finger and the sensor?

    I’m not doubting its possible. I’m not exactly worried about it in my personal life, as there isn’t anything I am too worried about cops getting at on my phone. I’m more worried about casual snooping by people. That said I do have my phone locked to the extent I can, my computer is secured with whole disk encryption, and my online backup is encrypted. The weak spot is email, as unless I operate the server myself, I am basically open to it being handed over with nothing but a subpoena.

    I see Touch ID as more of a casual protection. Personally I’d like there to be some ability to customize when your passcode is requested too. At least once a day? If it hasn’t been used for over 2 hours? Use some of the technology that determines when to do background updates to say “this time of day you’re always in the gym, and your phone is in your locker, you shouldn’t be using it right now so give me your passcode.”

    Make Touch ID more about convenience, not “security”. Allow me to define certain apps that require a passcode to run. Give each app its own unique encrypted storage space. This way I don’t exactly have to do anything to check my weather or stocks, but I have to authenticate (at a deeper level than an applications own password) to login to my bank account.

    Like

    • I tend to agree. I smell BS over this test… I tested a Touch ID sensor at an Apple Store on launch day of the 5S using the demo app, and later on a willing volunteer’s newly-purchased 5S just to see how it works.

      My guess here is they had more than the first finger already programmed into the sensor, and simply made it look on video as if they used a lifted print to unlock. Based on the technical descriptions of the sensor technology, it doesn’t care about the external layers of the skin, but rather takes a type of sub-dermal thermal image of the print (thus allowing it to function even if the outer layers of the skin are contaminated or damaged). If that is true, than the sensor would not unlock, because it would ignore the printed image and detect the mismatch of the sub-dermal layer.

      If this video were to be convincing for me, they’d have performed a factory reset on the device, reconfigured it from scratch, performed the initial Touch ID programming, and then attempted to unlock with a lifted print, all while being continuously video taped to prove this was indeed a defeat of Touch ID.

      Yet it seems they perform this hack in a public place, perhaps a restaurant, in a somewhat suspiciously nervous action.

      I do also agree, that Touch ID should NOT be considered a fool-proof replacement for a PIN code. Because iPhone 5S can still be unlocked with a PIN, that remains the weakest link in the security system. How much do you want to bet that most people having a 5S will use 0000 or 1234 as their PIN thinking Touch ID will be enough security? This very concept will make a 5S possibly even easier to gain access to than previous generations. Apple should include some type of warning to users when they’re setting up their PIN to ensure the code entered is complex, and not a sequential or repeating series of numbers.

      Remember, there is no lock that a smart person can’t pick!

      Like

      • mechanic50 says:

        I call bs on this as well, the touch id sensor is a capacitive touch sensor and reads the layer of skin below the dermis (living tissue below the surface of dead skin). Notice the same person using the same finger with a very thin piece of plastic between his finger and the scanner. The touch id is reading his fingerprint below the dermis like it is supposed to. I want to see him try this with someone else’s finger with his print. If anyone has taken the time to actually read how this sensor works, they would know that one of the benefits of this sensor is that it can be put behind an lcd display and still read. Because it is capacitive touch not optical. Only an optical sensor would be fooled by a high resolution fingerprint copy. The only thing to say here is that the sensor is reading the persons real fingerprint through the tape on the end of his same finger.

        Like

      • mechanic50 says:

        Also even if he is using his middle finger for the test how do we know he did not train it before hand as you can train more than one finger to unlock the phone.

        Like

  12. I call BS. Apple stated that TouchID does not use the outermost layer of skin, but the sub-dermal. Whatever they are using looks transparent, so TID is probably going through that to the sub-dermal layer of the guy’s finger. AND, he needs to quit drinking so much coffee!! Did you see the shakes?

    Like

  13. I SAID THIS WAS COMING FROM DAY ONE! Mythbusters did a TV Show about this years and years ago.

    Like

    • Oh, and by the way, you all said Apple’s sensor was going to be different than anyone elses, and a photograph of someone’s print wouldn’t fool it. Who has egg on their face now? Fingerprint scanners are not secure at all, a complex password is 1000 times more secure. Someone can lift your prints without you knowing about it very very easily…not to mention just using this gives the NSA / whatever government that has a backdoor into iCloud your prints. The “it stays on the chip” part is Bs too, and I’m sure we’ll find proof of that in the coming weeks.

      Like

  14. That doesn’t look like a 1200dpi “Photograph.” It looks like a very thin piece of plastic…how is at any point a ‘photograph’ at 1200dpi, and who shot this thing? the guy looks shaky as hell. I call shenanigans.

    Like

  15. If he really REALLY wanted to prove it, and if it was real, he should have showed only the registration of the index finger had been done in settings. Then placed this ‘photograph’ on his MIDDLE finger or another, not the same finger. No proof here.

    Like

  16. Folks are also forgetting that if your phone hasn’t been unlocked for 48 hours, the passcode is required. So if your phone is stolen not only do you have Find My iPhone (built into the firmware so a restore wouldn’t even bypass it), and activation lock (built into iOS 7 and requires iCloud password), but also the 48 hr timer starts and the thieves have to figure out a way to bypass the fingerprint. I like my options.

    Like

  17. Also, I had a deeper look into the video, and although in my previous comment I speculated they may have another stored print on the device, it seems it only registered the single print they programmed during the video.

    Notice however when they begin testing it, they unlocked the device using 0000. Depending on the settings for passcode and fingerprint, this could’ve left the phone in an unlocked state, thus making it appear it works.

    Could anyone with a 5S confirm this as being valid?

    But yes I agree biometrics is not the safest method of security around…

    Like

  18. He is not fooling anyone with this, it´s a transparent sheet of plastic and another print stored. Simple as that, proves nothing.

    Like

  19. Don’t forget that if you don’t unlock your phone for 48 hours Touch ID will not work. You will have to enter your passcode.

    Like

  20. Aside from the sketchy aspect of the experimental controls here… If someone wants my iPhone unlocked that bad that they are willing to invest in a covert operation to somehow get the phone from me (either through theft or kidnap) and have had the premeditated intent to be following me around with a kit from the CSI crime lab to capture my fingerprints perfectly in 2400 dpi from every surface I had touched — you’d have to wonder moreover who is after you and what you did to deserve such attention. If you are going to go to that length to get into my OK Cupid account then we might be in Fatal Attraction territory. Or, if I am international man of mystery — possibly I am 007 or Jason Bourne. If somebody is out to get you that bad — trust me — your iPhone being unlocked is the least of your worries. ;)

    Like

  21. I’m a little skeptic about this video he uses a transparent lining as well as his own finger print it could have easily read through the transparent lining

    Like

  22. Harvey Lubin says:

    This is a video of someone supposedly “hacking” the Touch ID… but it’s the same guy who registered his fingerprint that “unlocks” his iphone with something on his fingertip.

    Even if you have thick chapped skin on your fingertips, the Touch ID will still recognize you because it reads your sub-dermal prints.

    Of course he is going to unlock his own phone, because the Touch ID does not read the surface, but scans below the outer skin to recognize him as the owner.

    Duh!!!

    We need to see another person who has NOT registered his fingerprints on this phone, using the registered person’s printed fingerprint. But the guy who made this video obviously knew that wouldn’t work. ;-))

    Here is some information about the deep scanning that Touch ID does, and why printing a fingerprint, or using a severed finger will NOT work:

    Capacitive — A capacitive sensor is activated by the slight electrical charge running through your skin. We all have a small amount of electrical current running through our bodies, and capacitive technology utilizes that to sense touch. This is also the same technology used in the iPhone’s touchscreen to detect input.

    Radio frequency — RF waves do not respond to the dead layer of skin on the outside of your finger — the part that might be chapped or too dry to be read with much accuracy — and instead reads only the living tissue underneath. This produces an extremely precise image of your print, and ensures that a severed finger is completely useless.

    This video only proves that Touch ID can still recognize your fingerprint, even if you have something thin between you and the scanner.

    This guy is not winning the contest, but nice try to fake things. ;-))

    Like

    • Harvey Lubin says:

      The owner of the iPhone can register as many of their fingers as they want to. They can even register someone else’s finger who they trust to unlock the phone.

      They are NOT limited to registering just one fingerprint.

      We need to see an iPhone 5S (preferably immediately being after being taken out of the packing, and have a totally different person who has not registered any fingers on the phone to try to do the same thing.

      A $10,000 prize is very enticing for many people, and it’s easy to bend the rules in order to try to get that prize money.

      Like

      • Jim Phong says:

        They can bend the rules to fool people on the ‘net on Facebook and YouTube… BUT they won’t get any money if they won’t be able to correctly explain every single detail and prove to engineers and lawyers that they have found a way to bypass the lock.

        Like

      • Sorry, but I am fairly sure a $10,000 prize does not seem the least bit enticing for Europe’s largest hacker association, which has a 30 year history of honest work and whose members regularly write articles for several prestigious newspapers and often serve as experts for internet policy and related issues for both the federal and state parliaments. (For a more comprehensive introduction, please consider reading this: https://en.wikipedia.org/wiki/Chaos_Computer_Club)

        Like

  23. Do it again but, next time, don’t be so nervous. Maybe all that hand-shakery [sic] is what confused the sensor.

    Like

  24. gsetim says:

    Who is the guy with Palsey who can barely even touch the phone?

    Like

  25. I wonder if using gum or something similar with your fingerprint on it would unlock it. *hint, hint. Try it.

    Like

  26. I’ll believe this when they show the whole process. I don’t see how a digital printout can be “cast” with latex and turned into a print.

    Also, all Apple has said is that the fingerprint is more secure than a passcode, and easier to use.

    It is, and by quite a large margin.

    Like

  27. Well, looks like visual biometrics might be necessary.

    Like

  28. Notice how many FingerPrints are on the Screen itself?

    Like

  29. Either this dude needs to lay off the coffee or he was very nervous about doing this.

    Like

  30. smigit says:

    Back in the real world the 4 digit numeric pins that touch ID replaces aren’t exactly the most fool proof form of security either. I’ve seen more than a few peoples handsets that had very visible finger print marks where they tapped to enter their pin, so surely this is an improvement. Seems a bit of noise for noise sakes to be honest…it was never going to be unbreakable.

    Like

  31. Ok, to those who do believe this is real, and to those who don’t. The simplest of things i noticed while looking at this video on my ipad, then locking it in portrait mode and then turning it sideways so i had a profile view of the phone rather then a side view is the one main thing. I don’t know how many people speak foreign languages, but the answer is in the display. When looking and reading the display (which is easy to do with a screen grab) the thing noticed is that the phone being used DOES NOT lock until after 1 minute. Which means, once unlocked for the first time, he had to wait 1 MINUTE and 1second to then use his trick to access the phone. The fact that he unlocks it with his finger then puts the display to sleep, only to open it 5 seconds later says one thing, the phone was not locked to when he used his photograph. It would have to have a instant lock once put to sleep, and its as clear as day, he had to wait a minute. So, phone was not locked people, and he cracked nothing. Guten Nacht people =0)

    Like

  32. Ok, to those who do believe this is real, and to those who don’t. The simplest of things i noticed while looking at this video on my ipad, then locking it in portrait mode and then turning it sideways so i had a profile view of the phone rather then a side view is the one main thing. I don’t know how many people speak foreign languages, but the answer is in the display. When looking and reading the display (which is easy to do with a screen grab) the thing noticed is that the phone being used DOES NOT lock until after 1 minute. Which means, once unlocked for the first time, he had to wait 1 MINUTE and 1second to then use his trick to access the phone. The fact that he unlocks it with his finger then puts the display to sleep, only to open it 5 seconds later says one thing, the phone was not locked when he used his photograph trick. It would have to have to be configured to lock instantly once put to sleep, and that, was not the case. He had to wait over 1 minute. So, phone was not locked, and he cracked nothing. Guten Nacht people =0)

    Like

    • Not buying the whole thing at the moment as I expect that Apple has tested this obvious case … so we indeed have to see the whole process.

      But you’re wrong with Lock. The 1-minute is just locking the device but it’s not the lock-time requiring a PIN. This is inthe section below that. And there fingerprint is activated … so I assume (don’t own a 5s) that using the fingerprint option the device is fingerprint/PIN locked immediately in any case!

      Like

  33. Paul Kerr says:

    How likely is it that you’ll get a perfect fingerprint of the correct part of the correct finger, and get that to work within 5 tries before it switches to the passcode? If I use the ends of my fingers for unlocking the phone, your chances of getting a full, un-smudged copy of that part to use from a glass or other smooth, non-porous surface are about zero. Think you’ll get it from the touchscreen? Every print will be smudged by dozens of similar taps. In the real world, this hack isn’t much of a threat.

    Next.

    Like

  34. Oh wow this option seems that if someone get your phone he will grab your finger prints from all over the device then scan them then print them, then unlock your device and take all the gold and diamonds out of it, at last we must not forget that inside iPhone there is a mine of gold and diamonds, Sh*t storm is coming.

    Like

  35. Tim Kelly says:

    If people are worried about the possibility of people lifting a fingerprint for this purpose, why don’t they just set touch ID up with fingers they don’t use as much (ring finger, for example) as most prints left anywhere will be the index finger.

    Like

  36. Alin Buda says:

    ay, that is a iPhone 4S.. no fingerprint scanner on this version… so please…

    Like

  37. Len Williams says:

    OK, this is stupid to release this information to the general public including the criminally minded. This should have been reported directly to Apple for them to look at and debug if necessary, and only if Apple refused to respond, releasing it publicly to alert people of the danger. This article and the release of the information only serves to educate people who want to break into people’s phones. However unlikely the scenario of being able to find and photograph someone’s fingerprints at 2400 ppi, it’s really stepping outside of the bounds of propriety by educating crims on how to bypass the fingerprint sensor. Duh!

    Like

  38. How do we know that it is not reading his real fingerprint right through the cast? very poor methodoglogy.

    Like

  39. Now we know that the sensor doesn’t have any mechanism to determine if it is reading a live, warm finger or a mere dead, cold image (it doesn’t). This will also help fuel speculation that people’s fingers will be hacked off by the Mafia in order to access their iPhones, or even that people’s iPhones (and possibly financial accounts) will be accessed after they die, merely by placing the corpses’ fingers up to their phones. Of course, there was always the possibility that sleeping or even knocked-out people’s iPhones could be accessed in this way. No, I’m afraid this means anything but the ability to eliminate passcodes.

    Like

  40. cerniuk says:

    My 13 yr old daughter has practiced watching people type their passwords covertly. She can pick off any 4 digit password typed on an iPhone if she can see the screen at a distance when they type (and the person is not aware of her inspection). If the iPhone screen is perpendicular to her view (aka screen is at 90 degrees to her view, can’t be read) she gets the 4 character password over 50% of the time. Android is no different as it is all about the pattern of motion of the finger, not the digits typed.

    Needless to say our iPhones at home will greet us from siri with “Yo Daddy yo!” or “Hot Momma” instead of our names after she has picked off my wife and my latest 4 digit code. This seems to be a bit of a game that the students play at school amongst each other as well as it is not uncommon for my kids phones to greet them with “yo poopoo head” or similar silliness.

    They have not figured out how to get a 2400 dpi printer and lift a finger print at home or at school yet. I suspect that they will figure out the complex passwords typed in front of them or in range of a an iPhone video camera before they get past the technical difficulties of the finger print spoofing.

    Either way, capturing a personal login is a personal attack. If someone is intent on getting your login information and they have access to you personally, is it really going to matter, 4 char code, 25 char password, or finger print?

    Like