Skip to main content

Video reveals how the Touch ID hack was performed – ‘trivial’ attack that took 30 hours

The German hacker who successfully defeated Touch ID using a fingerprint lifted from the back of an iPhone has posted a video showing exactly how it was done.

While the hacker – who goes by the nickname Starbug – described the attack as “very straightforward and trivial,” he revealed in an email interview with arsTechnica that it required 30 hours of work using a scanner, high-res laserprinter and a printed circuit board etching kit.

It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

Should 5s owners worry that, now that the technique is known, it could be replicated in 30 mins? The answer is ‘it depends, but probably not’ … 

First, this isn’t something your friends can do as a bar prank, to switch your iPhone’s language to Arabic or something. Unlike a PIN, which your friends might well be able to spot if they’ve seen you unlock your phone often enough, this requires taking the phone away and working on it for some time.

Second, you needn’t worry about this as a technique thieves might use to steal and sell your iPhone. While Starbug may consider this a trivial hack, and the equipment needed isn’t esoteric, it’s well beyond the capabilities of your everyday iPhone thief. Remember too that even your fingerprint isn’t enough to reset and sell your phone: Activation Lock means that the thief would need your Apple ID password too.

This is something that requires a considerable amount of time, effort, skill and equipment. The question then becomes: is the data on your phone worth that effort? If you’re the CEO of a Silicon Valley startup, maybe. If you’re the average guy on the street, no.

The point of any security system isn’t to be unbreakable – there’s no such thing – but to be fit for purpose. That means sufficiently easy to use that people will actually use it every time, and sufficiently tough to crack that it will deter all but the most determined. Hack or no hack, Touch ID still meets that requirement.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Will Dmaic - 11 years ago

    It took 30 hours the first time, once mastered, sure they will be able to do it in much less.

    If Apple want to incorporate fingertip payments to the iPhone, looks like they will have to go back to the design board and then explain everybody what have they done to prevent this fake fingertip hacking and why the subepidermal detection is not working properly.

    Otherwise no payment is going to be done, whether or not they claim it is safe in 99,9% of cases. People don’t trust systems they see so easily hacked, let alone the fact that biometry already has a bad reputation in people’s mind.

    • Ben Lovejoy - 11 years ago

      It’s still a 30-minute hack. Nobody is going to do that trivially.

      • Jeff Kibuule - 11 years ago

        The problem isn’t that it will take 30-minutes to do, but no credit-card company can ever trust it as authentication because of plausible deniability from a customer that someone did this (and honestly, what happens when it’s 5 minutes to do via an automated program and 3D printer you print at Staples?)

        If the fringed print reader is only ever to unlock your phone and iTunes purchases, that’s the most boring thing ever.

      • Ben Lovejoy - 11 years ago

        To be fair, that’s no different from today, with signatures, PINs and NFC. Nothing is 100% secure.

      • Piliger Black - 11 years ago

        It still represents a lot more security than present day credit cards and passwords, all of which can easily be bypassed once the card and the PIN are stolen.

      • Udo Heib (@4uHyper) - 11 years ago

        I use iPhones since 3 years now. Roughly estimated I unlock my device 40 times a day?
        To be honest I have no passcode because I hate to enter it before unlocking.
        I will switch from 5 to 5s, for me the Touch ID means 100% more security by don’t loosing speed and comfort! I often buy music, Apps and newspapers. Now I have to enter my Apple ID password. With Touch ID it will take me one click on the home button.
        Lets all be realistic: how is the scenario for stealing an 5s and get the data successfully?
        It must be 1 of 1000 people in the world who can produce a functional copy of exactly the fingerprint you use for unlocking. This person must definitely steal your iPhone 😜 and how long it will take until you realize that your phone is gone? If you realize, you can easily use “find my iPhone” app to lock it with your Apple ID.
        I will be happy with the 5s when it arrives in January 😥.

      • Andreas Neukoetter - 11 years ago

        It’s not a 30-Minute-Hack. And never will be.

        The drying time of the wood glue in the last step alone is about 6h.
        Not even considering the etching and the paint drying.

        I guess a real pro could do that in 8-10h.

        So the probability is much lower than someone just “guessing” you pin.
        And security is all about probability.

    • Apple can still incorporate fingertip payments with the current technology. It is still easier to steal someone’s wallet than to hack the fingertip recognition. It is still even easier to skim a debit card than to hack the fingertip recognition.

  2. Se Nguyen - 11 years ago

    i agree with you, touch ID is good enough for us

  3. OneOkami (@OneOkami) - 11 years ago

    For everyday consumers, yes, perhaps not a big deal this kind of vulnerability exists. However, if Apple was hoping to use this feature to gain favor with users with security clearance to use this device as an accessory of their clearance, it may indeed be a big deal.

    • Think logical:
      What is more easy. Hack a 4 number combo or hacking Touch ID?

      Same with computers:
      If you have physical access to a computer there is no counter measure to stop a hacker. Ever.

      Touch ID is better then 4 numbers and over 90% of all passwords. You would be amazed how many passwords that are trivial and when companies make them to hard + force you to change it all the time: the password is always on a sticker near the computer.

      • OneOkami (@OneOkami) - 11 years ago

        That has little-to-nothing to do with my point.

      • OneOkami (@OneOkami) - 11 years ago

        This is commenting system really needs to restore the ability to edit. I want to elaborate a bit on my previous reply.

        I’m not absolutely not arguing against the benefits of biometric authentication. I’m a huge fan of it, actually. My point is the ability to spoof the biometric authentication is in the case diminishes the potential significance of it for those who may use it to secure highly confidential information.

        (I could go on about how this is a personally disappointing shortcoming in context of the ideals of biometric authentication but that could start to go off topic and this isn’t a preferred place to do it)

      • NQZ (@surgesoda) - 11 years ago

        That’s why you don’t use a four number passcode, and you use a complex password. Problem solved. Complex password = more secure than any fingerprint scanner in the world.

    • Sean Silveira (@seancca) - 11 years ago

      Any business worth its weight that would be allowing a device to hold company information will require pass-codes as well as have remote wipe setup on the device. You are going to have to have someone stalk you and learn you habits and know how to pull a print. If you work somewhere in which that situation is a reality you probably also have all sorts of other protections as well. It is not like I am going to be able to just roll up on someones phone and get their print and know which one is the one they use and figure out which one it is. If you can’t pull a perfect print you are not going to get past it.

      • OneOkami (@OneOkami) - 11 years ago

        My point is simply that these hacks likely diminish the significance of the user’s fingerprint as a means of authentication in certain contexts. I purposefully used the example of someone with security clearance because that may very well mean you ARE privy to information that others may be willing to go to great lengths to obtain.

        Yes, those individuals may have multiple layers of security on such information, I’m not disputing that. My point is this ability to spoof that individual’s biometric may prevent that biometric from having any particular significance over other means of authentication for those individuals.

    • standardpull - 11 years ago

      Apple was looking for a technology that was more convenient than a 4-digit PIN, and just as secure. And they found one.

      Apple knows that any handset that is connectable to the public internet and that can be carried around isn’t ever going to be certified for classified data. Period.

  4. Carter M - 11 years ago

    Takes a lot less time for me to lean over someones shoulder as they put in their 4 digit passcode than figuring out how to fake a fingerprint.

  5. First of all, the hack does not take 30 hours as your headline suggests – it took 30 hours to figure out how to beat the sensor.
    You are right that the hack in its current form does take too long and is not that easy to do. However, that is just a matter of optimizing the necessary steps to accomplish the hack.

    The main issue here is the fact that the sensor is not as safe as Apple or the media claimed (I’m not sure whether it was Apple itself who claimed that the sensor cannot be tricked by a simple copy of a fingerprint). It can actually be tricked by a simple replica of the fingerprint.
    It is still a better protection than not having any means of security in place, but overall it is not that magical stuff that makes pin codes and passwords obsolete.

    • Ben Lovejoy - 11 years ago

      And of course, PINS and passwords aren’t magical security either. Anything can be defeated with enough effort.

      • Touch ID is moo ore than enough for us. Yes. These guys now wants better protection than a bank for God’s sake.

      • NQZ (@surgesoda) - 11 years ago

        Yes Ben but the point of this whole debacle is that a password is *more* secure than a fingerprint scanner….any fingerprint scanner.

      • Ben Lovejoy - 11 years ago

        The right password is, for sure, with care about use in public – but those are big qualifiers …

    • standardpull - 11 years ago

      Absolutely not. The real security flaw here is that most of us keep our data completely unencrypted – on Google’s servers. Google Drive and Google Gmail is basically pointless unless you use encryption on top of those services – along with strong passwords. Your daddy’s 8 character password will not do the trick.

  6. Trivial? These guys are professionals…
    Besides, if somebody steals your phone, you would have to lend him your finger in the first place so he can replicate your fingerprint and then be able to unlock it.
    C’mon people, what else do u want? A deep scanner for your retina as well?

  7. cacheda - 11 years ago

    Everyone seems to be forgetting an important thing here.
    This guy needed a full fingerprint to replicate, now we all hate our phones when they get smudgy and thus almost all of us have an anti-fingerprint screen protector (I know me and almost all my friends do).
    The screen protectors sold by Apple are very good when it comes to not leaving a trace of your fingerprint on them. Even if there was, it would be partial and non-scannable.

  8. Piliger Black - 11 years ago

    As many of us suspected – this is a piece of utterly hyped up nonsense !! It is an irrelevant hack for the almost ANY user.

    It is patently obvious that the iPhone owner would have more than ample time, from the time the phone was taken or lost, to block any account linked to the Touch ID.

  9. Williams Hernandez - 11 years ago

    If someone swipes your wallet, he/she has free and almost unrestricted access to all your credit cards until you report them. A reader can be inconspicuously attached to an ATM or a Verisign terminal and copy hundreds of credit cards per day.

    And all that separates you from your money being stolen and the thief is a 4 digit PIN or a merchant that thinks you look suspicious and decides to check your signature and ID (which rarely happens, sometimes not even on big ticket purchases).

    For this hack to work, the criminal would need readily access to your device and equipment to replicate the thumbprint. Meaning, you would have to loose your phone and not notice it for a good amount of time.

    Then the criminal would need a good thumbprint to replicate.

    Don’t think that CSI is true. A good print is not that easy to obtain.

    Truth to be told, all it takes is a good motivated criminal to circumvent nearly any security method or lock.

    Said all that, I think the perfect combination would be the iPhone 5s and a bluetooth watch like the Pebble or Casio Gshock bluetooth.

    Something that warns you when you are out of the range of your bluetooth. This would give you an extra layer of protection to avoid loosing your device. Because, ultimately the key is in not loosing the device itself.

  10. NQZ (@surgesoda) - 11 years ago

    “now that the technique is known” — this is the SAME technique mythbusters used years ago, and it’s the same flaw that 99% of fingerprint sensors have in them. This is nothing special, if you didn’t know this was going to happen or if you somehow believe Apple’s sensor has magic pixie dust on it which makes it immune to attacks, you’re an idiot. I love the people who are said that the original video was faked and that “Apple’s sensor looks at the second layer of your skin” — LMFAO!

  11. Brandon Pacheco - 11 years ago

    This isn’t even really a “hack” it is still using the actual fingerprint to gain access.

  12. Dean (@deaninvan) - 11 years ago

    They haven’t proven anything yet. Too bad the guys giving the reward didn’t stick to their guns and demand more proof. There’s a reason you should have to post a complete video (not an edited one).

    You need to see a person leaving behind a print (did they just casually grab something or were they very careful to ensure they left a perfect print behind). You need to see them lifting the print. You need to see them making the mold. And you need to see them succeed within the first 5 tries. After 5 attempts the phone switches back to requiring a PIN.

    Notice in the first released videos they “learn” their new finger and then unlock the phone? Why did they have to learn the finger? Is it because they had to try more than 5 times and had to keep relearning the fingerprint because the phone kept reverting back to using a PIN?

    Sorry, until they can show a complete video without editing this means nothing.

  13. frankman91 - 11 years ago

    A refresh of a back story from 2012. Remember when the FBI could not get an Android swipe lock cracked (just a reminder it was android, not starting a platform argument). I would assume that the iPhone is just as hard or harder to get past, but if the FBI had your print, your confiscated phone, and a few hours, they would bust right through that thing. Just something for the seedy among us to think about……

    http://www.wired.com/threatlevel/2012/03/fbi-android-phone-lock/

  14. Paul Threatt - 11 years ago

    It’s certainly a 30 minute attack, and not 30 hours. It’s interesting that the attack was done on a brand new phone with a brand new user profile input. Apple’s marketing indicates that the sensor gets smarter over time, refining the finger print profile. I wonder if Apple’s initial wiggle room on new fingerprint registration has something to do with it. If so, this could be resolved with a software fix if it was warranted.

  15. Lee Palisoc - 11 years ago

    Nobody will do that just to read your private messages or photos.

    • Paul Threatt - 11 years ago

      Unless you’re the NSA or you want to wipe and resell the phone. I’m sure there’s a less expensive way to photo etch the fingerprint mold. It’s also notable that the key to unlock the phone is traveling with the device. This might lead to fingerprint resistant materials being used instead of ultra smooth glass.

      • s92543 - 11 years ago

        No if you’re the NSA then they already have that information and don’t need to access it. If they want to wipe and resell the device then it’s still a convoluted way of doing things and while this guy’s fingerprint sample was perfect! I can assure that by the time the phone has been handled by multiple people between it being taken from the owner and passing into the hands of the person making the fake fingerprint that the quality of the print will be less pristine.

        I don’t know many people that clean their phone display after every time they touch it or before they touch it and under normal use the fingerprint will be far more smudged.

        It’s okay doing something in a ‘controlled’ situation but in real life it is not as easy to get that perfect fingerprint and even their ‘fake print’ made from pristine sample fingerprint didn’t work straight away.

        I think everyone can sleep good at night knowing that their smudged fingerprints will not be easily lifted off their iPhone 5S and used to make a fake print to allow someone to access their device.

  16. s92543 - 11 years ago

    Would I lose sleep over this hack. Errrrm, No!

    I would be far more worried about being held against my will and forced to divulge the information required to get access to the device and allow them to wipe the device and register it under another iTunes Account!

    It would certainly be less messy and more within the reach of the average thug.

  17. Vishal Rewari - 11 years ago

    At the start of the video the hacker was dependent on the source of fingerprint to get started, this was taken from the phone display itself, one way to counterattack this hack is to use a different finger to register for the Touch ID than to one you normally use for operating the phone. What about the last smallest finger, normally it does`t touch the phone that much, as a thumb does.

  18. Matthew J Montoya - 10 years ago

    Just as so many below have mentioned, this propaganda video is so irrelevant. 1- PIN codes are one of the most insecure means of security. For the most part, people use the exact same PIN for most things you must establish a PIN for. Example, last 4 of social, which I use for virtually all my cards and anything else that requires a PIN. 2- Passwords are absolutely not secure. I have about 3 different passwords that I use for virtually everything- and a system for changing the passwords. Always use the same special characters, and increase the number by 1 every time it needs to be changed. The flaw in both of these supposedly secure methods is that it requires memory. And since people are almost incapable of relying on memory for passwords that are too complex, patterns to the passwords they create emerge. And when that happens, someone that wants access simply needs to do a little social engineering. Usually finding that password means access to a lot more accounts. 3- In order for a person to get the proper print to create this replica, would require either: a perfect unsmudged print (of the finger you designated as the lock finger) or: time to stalk the victim, and lift a perfect print. Both of these scenarios are highly unlikely. 4- Even if the person is somehow able to miraculously make this work in a real world scenario, all you have to do to prevent access to personal information is engaged the Find My iPhone feature that requires activation. You can erase the phone, then engage activation lock, rendering the phone useless to anyone except those that have access to your iCloud account password.

    So, for those that like to look at this argument like the head network engineer of a fortune 500 company, maybe, by some stretch of the imagination, this hack might play out in the real world (still not likely). But for most of use that want to use Touch ID as a way to secure personal data from sources that may LEGITIMATELY want access to it (girlfriends, buddies, people that find the phone left in a public bathroom), this is BY FAR the most secure phone ever created. PERIOD.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear