Hackers Defeat iPhone Fingerprint Reader—but Should You Really Worry?

The Citizen's Guide to the Future
Sept. 23 2013 6:10 PM

Hackers Defeat iPhone Fingerprint Reader—but Should You Really Worry?

180235488
New iPhone 5S handsets let people use their fingerprints to unlock the smartphones.

Photo by GLENN CHAPMAN/AFP/Getty Images

The hacker community was awash with simultaneous excitement and horror after Apple announced that its new iPhone 5S would include a fingerprint reader for device unlocking. A group of security researchers on Twitter were so convinced that the sensor was vulnerable, they began offering up piles of cash, bitcoins, and booze to the first person who managed to crack it.

It turns out they were right. Just two days after the device hit store shelves, a member of Germany's legendary Chaos Computer Club who goes by the name Starbug has posted the solution, which involves bypassing the biometric lock using a plastic transparency, a laser printer, and skin-tone latex milk.

Advertisement

In a YouTube video, Starbug shows himself setting the iPhone's lock with his index finger, then unlocking it with a printed transparency attached to his middle finger. The method is a slight modification of one he first published 10 years ago.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," said CCC spokesman Frank Rieger. "It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token."

In a move that might've not happened before the Summer of Snowden, Apple took time during the new iPhone unveiling to reassure that fingerprint data is encrypted and stored locally on the device, and never sent to iCloud. That's somewhat comforting for those worried about the U.S. government's rapidly growing access to biometric data. But the CCC's demonstration shows that, with a bit of preparation, the technology can indeed be spoofed—no severed fingers required.

Of course, there's some legitimate skepticism over just how practical such a “hack” would be. Just because you can take a picture of someone's house keys, or look over their shoulder while they punch in a PIN, doesn't mean we should stop using either of those as access tokens. But fingerprints aren't quite the same: For one, we leave them everywhere. And secondly, unless you're the guy from Gattaca, you're stuck with the same prints you were born with. Ultimately it depends on how easy it is to lift the prints of your target; the CCC is currently trying to demonstrate that in a video, which they say will be posted soon.

Contributors to the #IsTouchIDHackedYet contest, which was started by security researchers Robert Graham and Nick DePetrillo, are now set to pay out nearly $10,000 in cash and bitcoins, as well as a generous helping of alcohol and other prizes, to Raumfahrtagentur, a Berlin hackerspace spin-off of the CCC.* Another $10,000 was also pledged by Arturas Rosenbacher, a venture capitalist. But the offer was mysteriously rescinded at the last minute, with Rosenbacher claiming his assets aren't liquid enough. Rosenbacher had been labeled a hoaxer during past run-ins with the Anonymous and Occupy Wall Street communities, and seems to have used the contest as a PR grab for his firm after representing it in a series of mainstream media interviews.

Before the CCC's announcement, Bruce Schneier had noted that biometric technologies have indeed been spoofed in the past, using the gelatin mixture used to make gummi bears. In Wired, Marcia Hofmann* of the Electronic Frontier Foundation also pointed out that there are legal hacks for biometrics, too: If, for example, the police wanted to force you to unlock your fingerprint-secured phone, they might have less trouble doing so than if you had secured it with a PIN. The former only requires a physical action, while the latter requires you to reveal the contents of your mind, which runs up against Fifth Amendment protections against self-incrimination.

Unfortunately, Apple isn't offering the option to unlock the device using a PIN plus fingerprint authentication, which seems like it would be a much safer option if the company is really set on using biometrics in its products. Although, if you're that determined to use the feature, might as well use your cat.

*Corrections, Sept. 23, 2013: This blog post originally misidentified the group that will be receive the #IsTouchIDHackedYet prizes. It is Raumfahrtagentur, a Berlin hackerspace spin-off of the Chaos Computer Club, not the CCC itself. The post also misspelled the last name of the EFF's Marcia Hofmann.

Future Tense is a partnership of Arizona State University, the New America Foundation, and Slate.

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

Jurisprudence

Scalia’s Liberal Streak

The conservative justice’s most brilliant—and surprisingly progressive—moments on the bench.

Colorado Is Ground Zero for the Fight Over Female Voters

There’s a Way to Keep Ex-Cons Out of Prison That Pays for Itself. Why Don’t More States Use It?

The NFL Explains How It Sees “the Role of the Female”

The Music Industry Is Ignoring Some of the Best Black Women Singing R&B

Culturebox

Theo’s Joint and Vanessa’s Whiskey

No sitcom did the “Very Special Episode” as well as The Cosby Show.

Television

The Other Huxtable Effect

Thirty years ago, The Cosby Show gave us one of TV’s great feminists.

Cliff Huxtable Explains the World: Five Lessons From TV’s Greatest Dad

Why Television Needs a New Cosby Show Right Now

  News & Politics
Weigel
Sept. 18 2014 8:20 PM A Clever Attempt at Explaining Away a Vote Against the Farm Bill
  Business
Moneybox
Sept. 18 2014 6:02 PM A Chinese Company Just Announced the Biggest IPO in U.S. History
  Life
The Slate Quiz
Sept. 18 2014 11:44 PM Play the Slate News Quiz With Jeopardy! superchampion Ken Jennings.
  Double X
Doublex
Sept. 18 2014 8:07 PM Crying Rape False rape accusations exist, and they are a serious problem.
  Slate Plus
Behind the Scenes
Sept. 18 2014 1:23 PM “It’s Not Every Day That You Can Beat the World Champion” An exclusive interview with chess grandmaster Fabiano Caruana.
  Arts
Brow Beat
Sept. 18 2014 4:33 PM The Top 5 Dadsplaining Moments From The Cosby Show
  Technology
Future Tense
Sept. 18 2014 6:48 PM By 2100 the World's Population Could Be 11 Billion
  Health & Science
Science
Sept. 18 2014 3:35 PM Do People Still Die of Rabies? And how do you know if an animal is rabid?
  Sports
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.