Published in Mobiles

Apple ignores Touch ID security flaw

by on24 September 2014



A year to fix, has not tried

A year after being shown a glaring security flaw in its Touch ID, Apple has yet to correct it in its iPhone OS. Last year, when the iPhone 5S was released, Marc Rogers showed how you could hack its fancy new TouchID fingerprint sensor. 

For some reason he just bought an iPhone 6 and discovered that Apple had not taken any steps to fix the problem. Writing in his blog he admitted that he had little expectation that the TouchID sensor would be completely secure, but I hoped at least that there would have been some improvements.

He created some fake fingerprints using the same technique that I used to hack TouchID on the 5S. Once the fingerprints were ready I tested them against both devices. Rogers said there had been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices.

What he found was weird was that there had been no additional settings to help users tighten the security such as the ability to set a timeout for TouchID after which a passcode must be entered.

“The biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part,” he said.

This meant that he got far less “false negatives” with the iPhone 6. It’s likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your fingerprint to improve reliability.

To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab but a thief might have a little more difficulty lifting your fingerprint from the phone’s glossy surface and unlock the device.

“I can’t help but be a little disappointed that Apple didn’t take this chance to really tighten up the security of TouchID. Especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments,” Rogers said.

Rate this item
(0 votes)

Read more about: