Hackers Defeat iPhone Fingerprint Reader—but Should You Really Worry?

Future Tense
The Citizen's Guide to the Future
Sept. 23 2013 6:10 PM

Hackers Defeat iPhone Fingerprint Reader—but Should You Really Worry?

180235488
New iPhone 5S handsets let people use their fingerprints to unlock the smartphones.

Photo by GLENN CHAPMAN/AFP/Getty Images

The hacker community was awash with simultaneous excitement and horror after Apple announced that its new iPhone 5S would include a fingerprint reader for device unlocking. A group of security researchers on Twitter were so convinced that the sensor was vulnerable, they began offering up piles of cash, bitcoins, and booze to the first person who managed to crack it.

It turns out they were right. Just two days after the device hit store shelves, a member of Germany's legendary Chaos Computer Club who goes by the name Starbug has posted the solution, which involves bypassing the biometric lock using a plastic transparency, a laser printer, and skin-tone latex milk.

Advertisement

In a YouTube video, Starbug shows himself setting the iPhone's lock with his index finger, then unlocking it with a printed transparency attached to his middle finger. The method is a slight modification of one he first published 10 years ago.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," said CCC spokesman Frank Rieger. "It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token."

In a move that might've not happened before the Summer of Snowden, Apple took time during the new iPhone unveiling to reassure that fingerprint data is encrypted and stored locally on the device, and never sent to iCloud. That's somewhat comforting for those worried about the U.S. government's rapidly growing access to biometric data. But the CCC's demonstration shows that, with a bit of preparation, the technology can indeed be spoofed—no severed fingers required.

Of course, there's some legitimate skepticism over just how practical such a “hack” would be. Just because you can take a picture of someone's house keys, or look over their shoulder while they punch in a PIN, doesn't mean we should stop using either of those as access tokens. But fingerprints aren't quite the same: For one, we leave them everywhere. And secondly, unless you're the guy from Gattaca, you're stuck with the same prints you were born with. Ultimately it depends on how easy it is to lift the prints of your target; the CCC is currently trying to demonstrate that in a video, which they say will be posted soon.

Contributors to the #IsTouchIDHackedYet contest, which was started by security researchers Robert Graham and Nick DePetrillo, are now set to pay out nearly $10,000 in cash and bitcoins, as well as a generous helping of alcohol and other prizes, to Raumfahrtagentur, a Berlin hackerspace spin-off of the CCC.* Another $10,000 was also pledged by Arturas Rosenbacher, a venture capitalist. But the offer was mysteriously rescinded at the last minute, with Rosenbacher claiming his assets aren't liquid enough. Rosenbacher had been labeled a hoaxer during past run-ins with the Anonymous and Occupy Wall Street communities, and seems to have used the contest as a PR grab for his firm after representing it in a series of mainstream media interviews.

Before the CCC's announcement, Bruce Schneier had noted that biometric technologies have indeed been spoofed in the past, using the gelatin mixture used to make gummi bears. In Wired, Marcia Hofmann* of the Electronic Frontier Foundation also pointed out that there are legal hacks for biometrics, too: If, for example, the police wanted to force you to unlock your fingerprint-secured phone, they might have less trouble doing so than if you had secured it with a PIN. The former only requires a physical action, while the latter requires you to reveal the contents of your mind, which runs up against Fifth Amendment protections against self-incrimination.

Unfortunately, Apple isn't offering the option to unlock the device using a PIN plus fingerprint authentication, which seems like it would be a much safer option if the company is really set on using biometrics in its products. Although, if you're that determined to use the feature, might as well use your cat.

*Corrections, Sept. 23, 2013: This blog post originally misidentified the group that will be receive the #IsTouchIDHackedYet prizes. It is Raumfahrtagentur, a Berlin hackerspace spin-off of the Chaos Computer Club, not the CCC itself. The post also misspelled the last name of the EFF's Marcia Hofmann.

Future Tense is a partnership of Arizona State University, the New America Foundation, and Slate.

Future Tense is a partnership of SlateNew America, and Arizona State University.

Joshua Kopstein is a cyberculture journalist who studies policy, activism, and the dystopian present.

TODAY IN SLATE

The Slatest

Ben Bradlee Dead at 93

The legendary Washington Post editor presided over the paper’s Watergate coverage.

The Congressional Republican Digging Through Scientists’ Grant Proposals

Renée Zellweger’s New Face Is Too Real

Sleater-Kinney Was Once America’s Best Rock Band

Can it be again?

Whole Foods Is Desperate for Customers to Feel Warm and Fuzzy Again

The XX Factor

I’m 25. I Have $250.03.

My doctors want me to freeze my eggs.

The XX Factor
Oct. 20 2014 6:17 PM I’m 25. I Have $250.03. My doctors want me to freeze my eggs.
Technocracy

Forget Oculus Rift

This $25 cardboard box turns your phone into an incredibly fun virtual reality experience.

George Tiller’s Murderer Threatens Another Abortion Provider, Claims Free Speech

Walmart Is Crushing the Rest of Corporate America in Adopting Solar Power

  News & Politics
The World
Oct. 21 2014 3:13 PM Why Countries Make Human Rights Pledges They Have No Intention of Honoring
  Business
Moneybox
Oct. 21 2014 5:57 PM Soda and Fries Have Lost Their Charm for Both Consumers and Investors
  Life
The Vault
Oct. 21 2014 2:23 PM A Data-Packed Map of American Immigration in 1903
  Double X
The XX Factor
Oct. 21 2014 3:03 PM Renée Zellweger’s New Face Is Too Real
  Slate Plus
Behind the Scenes
Oct. 21 2014 1:02 PM Where Are Slate Plus Members From? This Weird Cartogram Explains. A weird-looking cartogram of Slate Plus memberships by state.
  Arts
Brow Beat
Oct. 21 2014 9:42 PM The All The President’s Men Scene That Perfectly Captured Ben Bradlee’s Genius
  Technology
Technology
Oct. 21 2014 5:38 PM Justified Paranoia Citizenfour offers a look into the mind of Edward Snowden.
  Health & Science
Climate Desk
Oct. 21 2014 11:53 AM Taking Research for Granted Texas Republican Lamar Smith continues his crusade against independence in science.
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.