Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/24/2013
04:39 PM
50%
50%

Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate

Hackers say the attack demonstrates a fatal flaw of fingerprint biometrics: It's too easy to defeat

That didn't take long.

The biometrics hacking team of the Chaos Computer Club (CCC) has defeated Apple's Touch ID feature, a fingerprint reader unveiled last week as part of Apple's announcement of the iPhone 5s. The move by Apple led some security experts to express hope that its adoption could lead to increased interest in biometric technologies among consumers. But CCC researchers say it's proof that fingerprint readers should be viewed skeptically.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," says Frank Rieger, spokesman for the CCC. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

News of the hack came roughly 24 hours after the phone became publicly available Sept. 20. Essentially, CCC researchers demonstrated that an attacker with physical access to the phone could take a picture or scan the fingerprints of the device's owner and use that to create a mold of the fingerprint to launch an attack.

"First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi," the researchers note. "Then the image is converted to black and white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi."

"To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material," CCC hackers explain. "The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."

The researchers also outlined another version of the attack, but said it was less reliable.

Apple did not respond to a request for comment.

Though the CCC criticized the use of fingerprint scanners for authentication and derided them as a technology designed for "oppression and control," Paul Zimski, Lumenion Security's vice president of solution marketing, says that the hack will probably not deter end users from leveraging the technology on their devices.

"Sure, it's not highly secure, but the average end user will most likely still use and rely on the scanner," Zimski says. "Trumping usability for security is somewhat of a universal constant in the consumerized world. If anything, this is also a good case for employing two-factor authentication."

There's an illusion of fingerprints as "some science-fiction thing" that is always highly accurate, says Michael Pearce, security consultant for Neohapsis. Unfortunately, he adds, that is not the case.

"They are problematic when used on their own to authenticate," he says. "Further, because fingerprint measurements are never exactly the same, the manufacturer needs to balance an error rate for both letting people in falsely and locking them out wrongly. When most of your fingerprint measurements are going to be legitimate users every time they pick up their phone, you're more concerned with the 9,999 times it's the right user than the one time it's the wrong one, and, as a result, you will lean on the permissive side if you want your product usable."

Ultimately, noted cryptographer Bruce Schneier argues, Apple is trying to balance security with convenience.

"This is a cell phone, not an ICBM launcher or even a bank account withdrawal device," he blogs. "Apple is offering an option to replace a four-digit PIN -- something that a lot of iPhone users don't even bother with -- with a fingerprint. Despite its drawbacks, I think it's a good trade-off for a lot of people."

Still, blogs Errata Security's Robert Graham, the notion that the hack is too much trouble is "profoundly wrong."

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he blogs. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy -- you just need to try."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
9/26/2013 | 2:45:08 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
I agree that my phone is becoming something of a bank account withdrawal device, but to access those particular apps I need to type in another password. Of course, if someone is already willing to go through the trouble of duplicating my fingerprints, I doubt a alphanumeric password will stop them. But is a fingerprint an extra deterrent?

I think of this finger print scanner like The Club, the red metal lock drivers can place on their steering wheel to prevent car theft (popular in the 90's). They're actually "easy" to remove, but a would-be theft might be deterred by the extra effort.

An the end of the day, it is convenient, and I prefer to unlock my phone without hassle. For the majority of 5s users, it is just a cell phone...
rstewart921
50%
50%
rstewart921,
User Rank: Apprentice
9/25/2013 | 4:19:14 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
"This is a cell phone, not an ICBM launcher or even a bank account withdrawal device,"

Actually with all of the banking apps available and electronic payment features now and coming in the future it might as well be a "bank account withdrawl device."
gev
50%
50%
gev,
User Rank: Moderator
9/25/2013 | 12:53:40 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
The four digit pin is not going anywhere any time soon.

I think the bigger problem for consumers will be the fact that their finger will not always be available - from cuts and burns to grease and sweat - many things will render a fingerprint reader unusable when we most need it.
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15113
PUBLISHED: 2019-08-16
The companion-sitemap-generator plugin before 3.7.0 for WordPress has CSRF.
CVE-2019-15114
PUBLISHED: 2019-08-16
The formcraft-form-builder plugin before 1.2.2 for WordPress has CSRF.
CVE-2019-15115
PUBLISHED: 2019-08-16
The peters-login-redirect plugin before 2.9.2 for WordPress has CSRF.
CVE-2019-15116
PUBLISHED: 2019-08-16
The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS related to IP address logging.
CVE-2017-18547
PUBLISHED: 2019-08-16
The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in experiment forms.