iphone users' fingerprints can be copied and used to crack Apple's TouchID security system. Photo:
The group, known as the Chaos Computer Club (CCC), demonstrated that a
fingerprint of the phone user, photographed from a glass surface, was enough
to create a fake finger that could unlock an iPhone 5s secured with TouchID.
The print was first photographed with 2400 dots per inch (dpi) resolution. The
resulting image was then cleaned up, inverted and laser printed with 1200
dpi onto a transparent sheet with a thick toner setting. Finally, pink latex
milk or white woodglue was smeared into the pattern created by the toner on
the transparent sheet.
After it had set, the thin latex print was lifted from the sheet, breathed on
to make it a tiny bit moist and then placed onto the sensor to unlock the
phone. This process has been used with minor refinements and variations
against the vast majority of fingerprint sensors on the market, according to
the CCC.
The CCC said in a blog
post that although Apple claims its fingerprint sensor is much more
secure than previous fingerprint technologies, it simply has a higher
resolution than previous sensors, so all the CCC needed to do was increase
the resolution of its fake.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson for the CCC.
"The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
Commenting on the news, security expert Graham Cluley reiterated the CCC's claims that fingerprints are not secrets, and can easily be picked up and copied by others.
"Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect," he said.
Apple did not respond to a request for comment on the hack.
This is the third security flaw discovered since the phone and its iOS 7 software were released last week. First, Jose Rodriguez, a 36-year-old soldier living in Spain’s Canary Islands found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter and more.
Then Karam Daoud, a 27-year old Palestinian living in the West Bank city of Ramallah, demonstrated that he was able to make a call to any number from a locked iPhone running iOS 7 by exploiting a vulnerability in its emergency calling function. Both vulnerabilities were first reported by Forbes.
Notably, no one has yet managed to extract a fingerprint rendering from the iPhone itself, where Apple says it is held on a secure chip. The CCC's method relies on capturing a high-quality fingerprint elsewhere, and having access to the phone.
Speaking to BusinessWeek just after the iPhone 5S was unveiled, Craig Federighi, Apple's head of software, said that Apple's focus had been on making sure that fingerprints could not be extracted from the phone.
"No matter if you took ownership of the whole device and ran whatever code you wanted on the main processor, [you] could not get that fingerprint out of there. Literally, the physical lines of communication in and out of the chip would not permit that ever to escape," he said.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson for the CCC.
"The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
Commenting on the news, security expert Graham Cluley reiterated the CCC's claims that fingerprints are not secrets, and can easily be picked up and copied by others.
"Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect," he said.
Apple did not respond to a request for comment on the hack.
This is the third security flaw discovered since the phone and its iOS 7 software were released last week. First, Jose Rodriguez, a 36-year-old soldier living in Spain’s Canary Islands found a security vulnerability in iOS 7 that allows anyone to bypass its lockscreen in seconds to access photos, email, Twitter and more.
Then Karam Daoud, a 27-year old Palestinian living in the West Bank city of Ramallah, demonstrated that he was able to make a call to any number from a locked iPhone running iOS 7 by exploiting a vulnerability in its emergency calling function. Both vulnerabilities were first reported by Forbes.
Notably, no one has yet managed to extract a fingerprint rendering from the iPhone itself, where Apple says it is held on a secure chip. The CCC's method relies on capturing a high-quality fingerprint elsewhere, and having access to the phone.
Speaking to BusinessWeek just after the iPhone 5S was unveiled, Craig Federighi, Apple's head of software, said that Apple's focus had been on making sure that fingerprints could not be extracted from the phone.
"No matter if you took ownership of the whole device and ran whatever code you wanted on the main processor, [you] could not get that fingerprint out of there. Literally, the physical lines of communication in and out of the chip would not permit that ever to escape," he said.
No comments:
Post a Comment