The German hacker who successfully defeated Touch ID using a fingerprint lifted from the back of an iPhone has posted a video showing exactly how it was done.
While the hacker – who goes by the nickname Starbug – described the attack as “very straightforward and trivial,” he revealed in an email interview with arsTechnica that it required 30 hours of work using a scanner, high-res laserprinter and a printed circuit board etching kit.
It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.
I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.
Should 5s owners worry that, now that the technique is known, it could be replicated in 30 mins? The answer is ‘it depends, but probably not’ …
First, this isn’t something your friends can do as a bar prank, to switch your iPhone’s language to Arabic or something. Unlike a PIN, which your friends might well be able to spot if they’ve seen you unlock your phone often enough, this requires taking the phone away and working on it for some time.
Second, you needn’t worry about this as a technique thieves might use to steal and sell your iPhone. While Starbug may consider this a trivial hack, and the equipment needed isn’t esoteric, it’s well beyond the capabilities of your everyday iPhone thief. Remember too that even your fingerprint isn’t enough to reset and sell your phone: Activation Lock means that the thief would need your Apple ID password too.
This is something that requires a considerable amount of time, effort, skill and equipment. The question then becomes: is the data on your phone worth that effort? If you’re the CEO of a Silicon Valley startup, maybe. If you’re the average guy on the street, no.
The point of any security system isn’t to be unbreakable – there’s no such thing – but to be fit for purpose. That means sufficiently easy to use that people will actually use it every time, and sufficiently tough to crack that it will deter all but the most determined. Hack or no hack, Touch ID still meets that requirement.