Skip to main content

Hack test shows Apple improved security and reliability of (still not perfect) Touch ID sensor in iPhone 6

You may recall that the Touch ID sensor was successfully hacked last year, using a technique where fingerprints were lifted from the phone’s casing followed by sophisticated lab techniques used to create artificial copies of the print to activate the sensor.

The bad news is that the sensor in the iPhone 6 is vulnerable to the same methods – the good news is that security researcher Marc Rogers found the iPhone 6 version to be both more secure and more reliable … 

The improved security was revealed when Rogers tried using the same less-than-perfect fingerprint copies on the iPhone 5S and 6.

Slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it.

Rogers said that the Touch ID sensor in the iPhone 6 was more reliable, less likely to reject a genuine fingerprint.

The biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part […] it’s likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your fingerprint to improve reliability.

While Rogers suggests that its worrying that the same technique still works as Apple prepares to allow Touch ID to be used for Apple Pay, the fact remains that the attack method requires extended access to the phone, a reasonable amount of equipment and a fair degree of determination. It doesn’t appear a likely route for your average fraudster.

Apple has for the first time opened up use of the Touch ID sensor to third-party developers, and we’ve provided a roundup of some of the apps making use of this.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. PMZanetti - 10 years ago

    In other words, its a non issue, just as it was last year, as there is no practical scenario in which this would ever occur.

    • Agreed. This is what I was saying.

    • Ben Lovejoy - 10 years ago

      Yep, for anyone who isn’t the CEO of a promising startup, this is a highly theoretical risk

    • Udo Heib (@4uHyper) - 10 years ago

      Hi guys. Beside the fact that it is a really obscure and nearly impossible scenario that Touch-ID gets hacked by a stranger, I really doubt the shown hack of last year. I had a 5s (now a 6, really amazing) and once I had problems with my skin at the fingers (dry and flaky). I swear at a certain point I had to make new finger prints because the phone didn’t accept the old ones. At that point I thought, nobody can tell me that you get “in” with a silicon something of a fingerprint taken from somewhere and not from the finger directly.
      I do not know how the hacker managed it, but I think he lie’s and it’s a fake!

      Much fun with our new devices ;o))))

      • Ben Lovejoy - 10 years ago

        It was very clearly demonstrated. It’s an unlikely real-life attack, but it definitely works.

  2. bboysupaman - 10 years ago

    In other words… As long as you don’t have an evil mad scientist for a nemesis… You’re probably fine…

    • RP - 10 years ago

      Agreed.
      As long as it is safer than someone peeking over my shoulder as I type my password, I’m more than happy with touch id

  3. Andrew Messenger - 10 years ago

    “Hacked”

  4. Taste_of_Apple - 10 years ago

    It definitely seems a bit improved compared to the previous generation.

  5. rogifan - 10 years ago

    So this really isn’t a hack its a spoof. A hack would be someone being able to access the secure element without a fingerprint. No one has been able to do that.

    • Tim Jr. - 10 years ago

      Correct.. Normally, providing cred’s is easier than actually breaking the security anyway. Why break a door down when you have a key..

      Trick is, getting the key.. in this case, a finger print, then replicating it.. it would have to be one hell of a focused, covert attack, when most thieves would just hold you up and force you to place your finger on the scanner. LOL

      Far to subtle and involved for any every-day theft.

      • Rogifan (@rogifan) - 10 years ago

        That’s why I hate when the term hack is used. I suppose it’s just semantics. But these exercises are stupid anyway. I have yet to see one done that wasn’t in a highly controlled environment where someone was able to lift a perfect fingerprint. That’s never going to happen in the real world.

  6. degraevesofie - 10 years ago

    Has there been *any* record of TouchID being actually used to maliciously spoof the owner?

  7. b9bot - 10 years ago

    The real news is that this hole story is pretty much FUD. Unless you are some sort of super spy there’s now way you are going to hack the fingerprint sensor period. So for 99.9% of us, there’s absolutely nothing to worry about. For you .1% spy’s I guess you will have to be careful not to let anyone touch your iPhone.

  8. John Smith - 10 years ago

    Lets compare this to real world methods to access stolen mobile phones …

    * Just press the ‘ON’ button – most aren’t locked in any way

    * Before you steal it, look over the owner’s shoulder as they tap in the PIN

    * Wiggle the phone at an angle, look for greasy finger smudges from last time owner unlocked the dot lock

    Compared with these, touch ID is a major step UP in security.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications