Home > iPhone > iPhone Fingerprint ID Uselessly Hacked

iPhone Fingerprint ID Uselessly Hacked

September 23rd, 2013

A German site is claiming they have successfully defeated Apple’s Touch ID technology with “materials that can be found in almost every household.” OK, let’s see what they require:

  • A clean original print of the finger used to set the Touch ID;
  • Colored powder or superglue
  • Ability to photograph the print cleanly “with 2400 dpi resolution”
  • “A bit of graphical refurbishment”
  • A laser printer
  • A transparency slide
  • Wood glue
  • Glycerine

I think we have superglue in the house, and I have a high-quality digital camera and the graphics software. None of the other stuff, though. I’d have to go buy a laser printer and the transparencies. Other trouble with the list lies in the vagueness. For example, how much is “a bit” of cleaning up the image in a graphics app? From the photo they showed, it looked like a semi-tough job to me, balancing the contrast and then repairing the ridge detail just so. Most people I know couldn’t do that. And they say that you “may” use “glycerene” (I presume they mean glycerine), but did not say that they were successful without its use. Nor did they detail how many attempts were necessary with perfect conditions before they were successful.

But let’s see how this process might work in real life.

The trouble begins right there at the top of the list: a clean print of the correct finger. They assume this will be easy to get, from a glass bottle or doorknob. Getting such a print is not quite as easy as they suggest. Have you ever tried to get a glass or bottle that a stranger used? It’s not as if they are simply laying around everywhere. Unless you live or work with the person, you would have to go to quite a bit of trouble to acquire that. And a doorknob? If you happen to find one the person used, like on a hotel room door, would you really have the time and privacy to use the powder, glue, and photography equipment in order to lift the print?

You could try to use the phone itself, but that’s not entirely easy either. The phone will have to have a full, clean print of the correct finger. Take a look at your phone: you may see some prints, but look carefully, and ask if any of those prints are complete and clear enough (not partial or smudged) to lift a usable print. I checked my iPhone and my wife’s at a random time: neither had anything close to a usable print. My iPad had a lot more prints on it, but all of them were smudged and not complete.

So, if someone is lucky enough to steal your iPhone or find it when lost, what is the likelihood that they will also be able to get your prints? While it may be possible that you leave your iPhone at a bar with a glass or bottle with a clean print of the finger you used that you can pick up and leave without anyone noticing or objecting, the chances are not exactly high. Realistically, the thief would have to follow you around for days to find the opportunity to get your phone and the print, and probably would have to take significant risks in doing so.

Next is the process of getting an image of the print. It is described as being a simple process. If you think it is, then I suggest you try it. Maybe under good lab conditions with a great print specimen with an experienced person doing it—but most people, I am fairly sure, would not have an easy time of it at all without a great deal of practice beforehand. So, again, you need someone really dedicated to the endeavor.

I am further puzzled by the incorrect terminology, as they describe a “2400 dpi” photograph. DPI is a printing measure, not a photography measure. Perhaps they mean 2400 pixels per inch of fingerprint area? It would be more clear if they could express the required detail of the fingerprint in pixel resolution.

Finally, aside from not revealing how many tries were necessary under perfect conditions to get the usable fake print, they introduced a further vagueness: the video shows the same person who established the fingerprint on the iPhone also using the fake print to unlock the phone. Apple’s technology claims to look beneath the outer layer of skin; I am not sure if it would be harder for a different person to also successfully use the fake print, but their video example raises that exact question.

So, let’s review what is actually needed:

  • The ability to steal the phone (not easy in the first place);
  • The ability to acquire a clean fingerprint of the correct finger;
  • The skill to successfully process and photograph the print;
  • The skill to use graphics software to clean up the print;
  • An unclear number of attempts to create a usable fake print;
  • Presumably the ability of a person other than the original user to successfully apply the print;
  • All the materials listed in the first list above.

You begin to get an idea of how the chances for all of this to be applied in a real-life situation are vanishingly slim. Right off the bat, most people who steal a phone have no ability to also obtain a fingerprint, and few thieves have the forensic skills to actually accomplish this process. As stated above, the thief would have to spend a great deal of time and effort, specifically targeting you, just to have a chance at being successful.

And they would have to accomplish this quickly enough so that the phone’s owner does not have the time to notice their phone is missing and wipe the data from it.

Does Apple oversell the technology? Absolutely. If you are a corporate executive or government official with top-secret information which you happen to store on your phone, should you rely completely on Apple’s technology? Of course not, you would be stupid to do that.

But if you are just a normal person trying to keep your personal information safe, then frankly, this is more than secure enough for you. Anyone so dedicated to accomplish the described hack would probably have an easier time just figuring out your online account passwords.

Categories: iPhone Tags: by
  1. Troy
    September 23rd, 2013 at 15:49 | #1

    yeah, this is just technology to access the phone.

    if I had a choice I wouldn’t even have a lock screen. Sheez. I’m not like a 00 agent or anything.

Comments are closed.