Fake Fingerprint Can Bypass iPhone 6 Touch ID Security Already

Fake Fingerprint Can Bypass iPhone 6 Touch ID Security Already

by Pete Daniel on 30 September 2014 · 6393 views

Despite launching the new flagship iPhone 6 and iPhone 6 Plus, the Touch ID fingerprint scanning process is still vulnerable to considerable security issues even after it was highlighted as a risk previously.

1 full Fake Fingerprint Can Bypass iPhone 6 Touch ID Security Already

The same iPhone 5S vulnerability where a fingerprint could be surreptitiously acquired and used to unlock the mobile device can also be used on the version of the Touch ID fingerprint scanner that is included with the latest iPhone 6 and iPhone 6 Plus. Worse still, the Touch ID fingerprint scanner forms the backbone for security with the new Apple Pay e-payment program that is expected to be a broad success within the restrictive Apple eco system.

Materials and A Little Acquired Technical Know-How

The materials to complete the fabrication to get around the fingerprint scanning can be bought online for less than $1,000 making it accessible to many people who believe they can get more value out of a hacked phone when it is unlocked. Identify theft and even the recent access to obtain illicit photos of many celebrities through the repeated guessing of login details to iCloud accounts can be sped up when one is able to access an iPhone directly even when it has been locked.

A bit of specialized knowledge is needed to know what materials to buy and how to put them together for use, but most things can be learnt easily online if given enough time and access to YouTube or educational sites. There are most certainly going to be threads on hacking message boards about what to buy and how to get around the iPhone's Touch ID even if Apple will not admit to there even being a security issue.

The Basics Of How It Was Done

Mark Rogers who is a researcher in security processes for Lookout, a mobile security company, uses CSI type approaches to lift latent fingerprints left behind by device owners to create a test molding using a circuit board kit that was customized. Glue was the next ingredient which can create a rubber print which can be layered over his thumb and then pressed to the Touch ID scanner to access an iPhone 6.

The same technique is also possible to use with fingerprint scanners on safes with such technology and fingerprint scanning keypads for security doors. In the latter case, usually a watchful guard needs to be there to ensure that visitors are using their own fingers and do not have any adhesive sticking to their finger or thumb to be scanned. However in the case of an iPhone, no such oversight is possible.

Improvements Made To Touch ID in iPhone 6 and iPhone 6 Plus

Despite the vulnerabilities, Apple has clearly been busy making the Touch ID fingerprint sensor in the iPhone 6 range of smart phones a bit better. The sensor did reject several more of the fake prints using the above technique and rejected fewer real fingerprint scans. However, the fake fingerprint technique was not resolved fully.

The process to create a workable rubber fingerprint copy took Mark Rogers 8 hours to complete under test conditions. He estimated that it would take someone familiar with the techniques and outside of test conditions between 2-3 hours to complete a similar process to gain access to an iPhone 6 or iPhone 6 Plus using the Touch ID as their entry point.

Main Vulnerability of Fingerprints On Smart Devices

The issue with any smart device, not just Apple's products as the Samsung Galaxy S5 and Samsung Galaxy Note 4 also have fingerprint scanners too now, is that such devices are print magnets. Oily residue is picked up by fingers during daily life. As a result, these devices are perfect for placing prints all over them especially if they're held without using a case. The metal or plastic shiny back and glass front are perfect to leave prints and have them be lifted by a thief if they have the time and desire to do so.

Good News and Bad News

The good news is that most theft of smart phones are mostly crimes of opportunity when a phone is put down on a table for “just a second.” Most individuals are not slick enough to be able to lift prints and persevere to unlock the device so that it can be resold. Devices can also be locked via the Find My iPhone app feature and so by the time an unskilled thief has managed to unlock the phone, it may have been locked down already by the owner.

In the case of street gangs that have a little operations going to steal local smart phones en masse this is a different matter as they'll have the incentive to learn the right techniques and quite likely can get the speed to unlock down to an art. In such situations, some thieves actually steal specific makes and models of smart phones, almost to order, in order to work with phones they know how to access quicker.

Risks of Apple Pay

Whilst the new Apple Pay e-payment system will protect owners from financial losses, accessing an iPhone using a fake fingerprint may be worth the effort for thieves who see a digital wallet opening up to them when they can do so. However, the locking of the iPhone after 5 failed attempts to access it (instead of the previous unlimited attempts) will make it more difficult for thieves to use hit and miss methods to access the iPhone before it locks out.

Few People Still Lock Their Phones

According to security firm, Sophos, as many as 67% of smart phone owners do not bother locking their phones with a PIN code, pattern or fingerprint lock. This is likely to be a much lower percentage for iPhone owners with the easier fingerprint unlocking process so there is solid progress there.

Comments (0)
Featured Articles