• Sun
  • Nov 23, 2014
  • Updated: 12:40pm
Apple
BusinessCompanies

We’ve cracked Apple’s fingerprint scanner: German hackers

PUBLISHED : Monday, 23 September, 2013, 12:37pm
UPDATED : Tuesday, 24 September, 2013, 12:56pm

A group of German hackers claimed to have cracked the iPhone fingerprint scanner just two days after Apple launched the technology that it promises will better protect devices from criminals and snoopers seeking access.

If the claim is verified, it will be embarrassing for Apple which is betting on the scanner to set its smartphone apart from new models of Samsung Electronics and others running the Android operating system of Google.

Two prominent iPhone security experts told Reuters that they believed the German group, known as the Chaos Computing Club, or CCC, had succeeded in defeating Apple’s Touch ID, though they had not personally replicated the work.

One of them, Charlie Miller, co-author of the iOS Hacker’s Handbook, described the work as “a complete break” of Touch ID security. “It certainly opens up a new possibility for attackers.”

Apple representatives did not respond to requests for comment.

CCC, one the world’s largest and most respected hacking groups, posted a video on its website that appeared to show somebody accessing an iPhone 5S with a fabricated print. The site described how members of its biometrics team had cracked the new fingerprint reader, one of the few major high-tech features added to the latest version of the iPhone.

Video: CCC explains how to hack iPhone 5S

The group said they targeted Touch ID to knock down reports about its “marvels,” which suggested it would be difficult to crack.

“Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” a hacker named Starbug was quoted as saying on the CCC’s site.

The group said it defeated Touch ID by photographing the fingerprint of an iPhone’s user, then printing it on to a transparent sheet, which it used to create a mold for a “fake finger.”

CCC said similar processes have been used to crack “the vast majority” of fingerprint sensors on the market.

“I think it’s legit,” said Dino Dai Zovi,” another co-author of the iOS Hacker’s Handbook. “The CCC doesn’t fool around or over-hype, especially when they are trying to make a political point.”

Touch ID, which was only introduced on the top-of-the-line iPhone 5S, lets users unlock their devices or make purchases on iTunes by simply pressing their finger on the home button. It uses a sapphire crystal sensor embedded in the button.

Data used for verification is encrypted and stored in a secure enclave of the phone’s A7 processor chip.

Two security experts who sponsored an impromptu competition offering cash and other prizes to the first hackers who cracked the iPhone said they had reviewed the information posted on the CCC website, but wanted more documentation.

“We are simply awaiting a full video documentation and walk through of the process that they have claimed,” said mobile security researcher Nick DePetrillo, who started the contest with another security expert, Robert Graham. “When they deliver that video we will review it.”

The two of them each put up US$100 toward a prize for the contest winner, then set up a website inviting others to contribute. While the booty now includes more than US$13,000 in cash, it was not clear that the CCC would receive the full payout, even if DePetrillo and Graham declared them winners.

A micro venture capital firm known as I/O Capital, which had offered to pay US$10,000 of the prize money, issued a press release late on Sunday saying that it would make its own determination about who won the contest.

Reuters

Share

For unlimited access to:

SCMP.com SCMP Tablet Edition SCMP Mobile Edition 10-year news archive
 
 

 

2

This article is now closed to comments

superdx
Dusting for fingerprints isn't how this hack works, and in fact probably doesn't.
You need a high resolution photo (5MP) of the finger, a plastic mold and some glue. All easily available but if someone is going through all that effort for your phone, I think you have bigger issues at hand (literally).
Most importantly, that you are willing to sit still while someone takes a 5MP picture of your finger is the part which is not very likely?
Greenwash
I think when people lose their iPhone in a taxi or get it pick-pocketed at an airport, they are not concerned that their missing phone will be dusted for fingerprints to get access to it. For most people, the fingerprint scanner will be sufficient security. The question is: Will this security feature discourage thieves? Lastly, when I have lost phones in the past, I have found them by calling my mobile number. I have been lucky that honest people have picked up my phone where I have left it, answered my call, and I have arranged to meet them to get it back. If it is locked with the fingerprint scanner, can the phone be answered?
 
 
 
 
 

Login

SCMP.com Account

or