The German hacker who successfully defeated Touch ID using a fingerprint lifted from the back of an iPhone has posted a video showing exactly how it was done.

While the hacker – who goes by the nickname Starbug – described the attack as “very straightforward and trivial,” he revealed in an email interview with arsTechnica that it required 30 hours of work using a scanner, high-res laserprinter and a printed circuit board etching kit.

It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

Should 5s owners worry that, now that the technique is known, it could be replicated in 30 mins? The answer is ‘it depends, but probably not’ … 

First, this isn’t something your friends can do as a bar prank, to switch your iPhone’s language to Arabic or something. Unlike a PIN, which your friends might well be able to spot if they’ve seen you unlock your phone often enough, this requires taking the phone away and working on it for some time.

Second, you needn’t worry about this as a technique thieves might use to steal and sell your iPhone. While Starbug may consider this a trivial hack, and the equipment needed isn’t esoteric, it’s well beyond the capabilities of your everyday iPhone thief. Remember too that even your fingerprint isn’t enough to reset and sell your phone: Activation Lock means that the thief would need your Apple ID password too.

This is something that requires a considerable amount of time, effort, skill and equipment. The question then becomes: is the data on your phone worth that effort? If you’re the CEO of a Silicon Valley startup, maybe. If you’re the average guy on the street, no.

The point of any security system isn’t to be unbreakable – there’s no such thing – but to be fit for purpose. That means sufficiently easy to use that people will actually use it every time, and sufficiently tough to crack that it will deter all but the most determined. Hack or no hack, Touch ID still meets that requirement.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

40 Responses to “Video reveals how the Touch ID hack was performed – ‘trivial’ attack that took 30 hours”

  1. Will Dmaic says:

    It took 30 hours the first time, once mastered, sure they will be able to do it in much less.

    If Apple want to incorporate fingertip payments to the iPhone, looks like they will have to go back to the design board and then explain everybody what have they done to prevent this fake fingertip hacking and why the subepidermal detection is not working properly.

    Otherwise no payment is going to be done, whether or not they claim it is safe in 99,9% of cases. People don’t trust systems they see so easily hacked, let alone the fact that biometry already has a bad reputation in people’s mind.


    • Ben Lovejoy says:

      It’s still a 30-minute hack. Nobody is going to do that trivially.


      • Jeff Kibuule says:

        The problem isn’t that it will take 30-minutes to do, but no credit-card company can ever trust it as authentication because of plausible deniability from a customer that someone did this (and honestly, what happens when it’s 5 minutes to do via an automated program and 3D printer you print at Staples?)

        If the fringed print reader is only ever to unlock your phone and iTunes purchases, that’s the most boring thing ever.


      • Ben Lovejoy says:

        To be fair, that’s no different from today, with signatures, PINs and NFC. Nothing is 100% secure.


      • It still represents a lot more security than present day credit cards and passwords, all of which can easily be bypassed once the card and the PIN are stolen.


      • I use iPhones since 3 years now. Roughly estimated I unlock my device 40 times a day?
        To be honest I have no passcode because I hate to enter it before unlocking.
        I will switch from 5 to 5s, for me the Touch ID means 100% more security by don’t loosing speed and comfort! I often buy music, Apps and newspapers. Now I have to enter my Apple ID password. With Touch ID it will take me one click on the home button.
        Lets all be realistic: how is the scenario for stealing an 5s and get the data successfully?
        It must be 1 of 1000 people in the world who can produce a functional copy of exactly the fingerprint you use for unlocking. This person must definitely steal your iPhone 😜 and how long it will take until you realize that your phone is gone? If you realize, you can easily use “find my iPhone” app to lock it with your Apple ID.
        I will be happy with the 5s when it arrives in January 😥.


      • It’s not a 30-Minute-Hack. And never will be.

        The drying time of the wood glue in the last step alone is about 6h.
        Not even considering the etching and the paint drying.

        I guess a real pro could do that in 8-10h.

        So the probability is much lower than someone just “guessing” you pin.
        And security is all about probability.


    • Apple can still incorporate fingertip payments with the current technology. It is still easier to steal someone’s wallet than to hack the fingertip recognition. It is still even easier to skim a debit card than to hack the fingertip recognition.


  2. Se Nguyen says:

    i agree with you, touch ID is good enough for us


  3. For everyday consumers, yes, perhaps not a big deal this kind of vulnerability exists. However, if Apple was hoping to use this feature to gain favor with users with security clearance to use this device as an accessory of their clearance, it may indeed be a big deal.


    • Think logical:
      What is more easy. Hack a 4 number combo or hacking Touch ID?

      Same with computers:
      If you have physical access to a computer there is no counter measure to stop a hacker. Ever.

      Touch ID is better then 4 numbers and over 90% of all passwords. You would be amazed how many passwords that are trivial and when companies make them to hard + force you to change it all the time: the password is always on a sticker near the computer.


      • That has little-to-nothing to do with my point.


      • This is commenting system really needs to restore the ability to edit. I want to elaborate a bit on my previous reply.

        I’m not absolutely not arguing against the benefits of biometric authentication. I’m a huge fan of it, actually. My point is the ability to spoof the biometric authentication is in the case diminishes the potential significance of it for those who may use it to secure highly confidential information.

        (I could go on about how this is a personally disappointing shortcoming in context of the ideals of biometric authentication but that could start to go off topic and this isn’t a preferred place to do it)


      • That’s why you don’t use a four number passcode, and you use a complex password. Problem solved. Complex password = more secure than any fingerprint scanner in the world.


    • Any business worth its weight that would be allowing a device to hold company information will require pass-codes as well as have remote wipe setup on the device. You are going to have to have someone stalk you and learn you habits and know how to pull a print. If you work somewhere in which that situation is a reality you probably also have all sorts of other protections as well. It is not like I am going to be able to just roll up on someones phone and get their print and know which one is the one they use and figure out which one it is. If you can’t pull a perfect print you are not going to get past it.


      • My point is simply that these hacks likely diminish the significance of the user’s fingerprint as a means of authentication in certain contexts. I purposefully used the example of someone with security clearance because that may very well mean you ARE privy to information that others may be willing to go to great lengths to obtain.

        Yes, those individuals may have multiple layers of security on such information, I’m not disputing that. My point is this ability to spoof that individual’s biometric may prevent that biometric from having any particular significance over other means of authentication for those individuals.


    • standardpull says:

      Apple was looking for a technology that was more convenient than a 4-digit PIN, and just as secure. And they found one.

      Apple knows that any handset that is connectable to the public internet and that can be carried around isn’t ever going to be certified for classified data. Period.


  4. Carter M says:

    Takes a lot less time for me to lean over someones shoulder as they put in their 4 digit passcode than figuring out how to fake a fingerprint.


  5. First of all, the hack does not take 30 hours as your headline suggests – it took 30 hours to figure out how to beat the sensor.
    You are right that the hack in its current form does take too long and is not that easy to do. However, that is just a matter of optimizing the necessary steps to accomplish the hack.

    The main issue here is the fact that the sensor is not as safe as Apple or the media claimed (I’m not sure whether it was Apple itself who claimed that the sensor cannot be tricked by a simple copy of a fingerprint). It can actually be tricked by a simple replica of the fingerprint.
    It is still a better protection than not having any means of security in place, but overall it is not that magical stuff that makes pin codes and passwords obsolete.


  6. Trivial? These guys are professionals…
    Besides, if somebody steals your phone, you would have to lend him your finger in the first place so he can replicate your fingerprint and then be able to unlock it.
    C’mon people, what else do u want? A deep scanner for your retina as well?


  7. cacheda says:

    Everyone seems to be forgetting an important thing here.
    This guy needed a full fingerprint to replicate, now we all hate our phones when they get smudgy and thus almost all of us have an anti-fingerprint screen protector (I know me and almost all my friends do).
    The screen protectors sold by Apple are very good when it comes to not leaving a trace of your fingerprint on them. Even if there was, it would be partial and non-scannable.


  8. As many of us suspected – this is a piece of utterly hyped up nonsense !! It is an irrelevant hack for the almost ANY user.

    It is patently obvious that the iPhone owner would have more than ample time, from the time the phone was taken or lost, to block any account linked to the Touch ID.


  9. If someone swipes your wallet, he/she has free and almost unrestricted access to all your credit cards until you report them. A reader can be inconspicuously attached to an ATM or a Verisign terminal and copy hundreds of credit cards per day.

    And all that separates you from your money being stolen and the thief is a 4 digit PIN or a merchant that thinks you look suspicious and decides to check your signature and ID (which rarely happens, sometimes not even on big ticket purchases).

    For this hack to work, the criminal would need readily access to your device and equipment to replicate the thumbprint. Meaning, you would have to loose your phone and not notice it for a good amount of time.

    Then the criminal would need a good thumbprint to replicate.

    Don’t think that CSI is true. A good print is not that easy to obtain.

    Truth to be told, all it takes is a good motivated criminal to circumvent nearly any security method or lock.

    Said all that, I think the perfect combination would be the iPhone 5s and a bluetooth watch like the Pebble or Casio Gshock bluetooth.

    Something that warns you when you are out of the range of your bluetooth. This would give you an extra layer of protection to avoid loosing your device. Because, ultimately the key is in not loosing the device itself.


  10. “now that the technique is known” — this is the SAME technique mythbusters used years ago, and it’s the same flaw that 99% of fingerprint sensors have in them. This is nothing special, if you didn’t know this was going to happen or if you somehow believe Apple’s sensor has magic pixie dust on it which makes it immune to attacks, you’re an idiot. I love the people who are said that the original video was faked and that “Apple’s sensor looks at the second layer of your skin” — LMFAO!


  11. This isn’t even really a “hack” it is still using the actual fingerprint to gain access.


  12. They haven’t proven anything yet. Too bad the guys giving the reward didn’t stick to their guns and demand more proof. There’s a reason you should have to post a complete video (not an edited one).

    You need to see a person leaving behind a print (did they just casually grab something or were they very careful to ensure they left a perfect print behind). You need to see them lifting the print. You need to see them making the mold. And you need to see them succeed within the first 5 tries. After 5 attempts the phone switches back to requiring a PIN.

    Notice in the first released videos they “learn” their new finger and then unlock the phone? Why did they have to learn the finger? Is it because they had to try more than 5 times and had to keep relearning the fingerprint because the phone kept reverting back to using a PIN?

    Sorry, until they can show a complete video without editing this means nothing.


  13. frankman91 says:

    A refresh of a back story from 2012. Remember when the FBI could not get an Android swipe lock cracked (just a reminder it was android, not starting a platform argument). I would assume that the iPhone is just as hard or harder to get past, but if the FBI had your print, your confiscated phone, and a few hours, they would bust right through that thing. Just something for the seedy among us to think about……


  14. Paul Threatt says:

    It’s certainly a 30 minute attack, and not 30 hours. It’s interesting that the attack was done on a brand new phone with a brand new user profile input. Apple’s marketing indicates that the sensor gets smarter over time, refining the finger print profile. I wonder if Apple’s initial wiggle room on new fingerprint registration has something to do with it. If so, this could be resolved with a software fix if it was warranted.


  15. Lee Palisoc says:

    Nobody will do that just to read your private messages or photos.


    • Paul Threatt says:

      Unless you’re the NSA or you want to wipe and resell the phone. I’m sure there’s a less expensive way to photo etch the fingerprint mold. It’s also notable that the key to unlock the phone is traveling with the device. This might lead to fingerprint resistant materials being used instead of ultra smooth glass.


      • s92543 says:

        No if you’re the NSA then they already have that information and don’t need to access it. If they want to wipe and resell the device then it’s still a convoluted way of doing things and while this guy’s fingerprint sample was perfect! I can assure that by the time the phone has been handled by multiple people between it being taken from the owner and passing into the hands of the person making the fake fingerprint that the quality of the print will be less pristine.

        I don’t know many people that clean their phone display after every time they touch it or before they touch it and under normal use the fingerprint will be far more smudged.

        It’s okay doing something in a ‘controlled’ situation but in real life it is not as easy to get that perfect fingerprint and even their ‘fake print’ made from pristine sample fingerprint didn’t work straight away.

        I think everyone can sleep good at night knowing that their smudged fingerprints will not be easily lifted off their iPhone 5S and used to make a fake print to allow someone to access their device.


  16. s92543 says:

    Would I lose sleep over this hack. Errrrm, No!

    I would be far more worried about being held against my will and forced to divulge the information required to get access to the device and allow them to wipe the device and register it under another iTunes Account!

    It would certainly be less messy and more within the reach of the average thug.


  17. At the start of the video the hacker was dependent on the source of fingerprint to get started, this was taken from the phone display itself, one way to counterattack this hack is to use a different finger to register for the Touch ID than to one you normally use for operating the phone. What about the last smallest finger, normally it does`t touch the phone that much, as a thumb does.


  18. Just as so many below have mentioned, this propaganda video is so irrelevant. 1- PIN codes are one of the most insecure means of security. For the most part, people use the exact same PIN for most things you must establish a PIN for. Example, last 4 of social, which I use for virtually all my cards and anything else that requires a PIN. 2- Passwords are absolutely not secure. I have about 3 different passwords that I use for virtually everything- and a system for changing the passwords. Always use the same special characters, and increase the number by 1 every time it needs to be changed. The flaw in both of these supposedly secure methods is that it requires memory. And since people are almost incapable of relying on memory for passwords that are too complex, patterns to the passwords they create emerge. And when that happens, someone that wants access simply needs to do a little social engineering. Usually finding that password means access to a lot more accounts. 3- In order for a person to get the proper print to create this replica, would require either: a perfect unsmudged print (of the finger you designated as the lock finger) or: time to stalk the victim, and lift a perfect print. Both of these scenarios are highly unlikely. 4- Even if the person is somehow able to miraculously make this work in a real world scenario, all you have to do to prevent access to personal information is engaged the Find My iPhone feature that requires activation. You can erase the phone, then engage activation lock, rendering the phone useless to anyone except those that have access to your iCloud account password.

    So, for those that like to look at this argument like the head network engineer of a fortune 500 company, maybe, by some stretch of the imagination, this hack might play out in the real world (still not likely). But for most of use that want to use Touch ID as a way to secure personal data from sources that may LEGITIMATELY want access to it (girlfriends, buddies, people that find the phone left in a public bathroom), this is BY FAR the most secure phone ever created. PERIOD.