Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/24/2013
04:39 PM
50%
50%

Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate

Hackers say the attack demonstrates a fatal flaw of fingerprint biometrics: It's too easy to defeat

That didn't take long.

The biometrics hacking team of the Chaos Computer Club (CCC) has defeated Apple's Touch ID feature, a fingerprint reader unveiled last week as part of Apple's announcement of the iPhone 5s. The move by Apple led some security experts to express hope that its adoption could lead to increased interest in biometric technologies among consumers. But CCC researchers say it's proof that fingerprint readers should be viewed skeptically.

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," says Frank Rieger, spokesman for the CCC. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."

News of the hack came roughly 24 hours after the phone became publicly available Sept. 20. Essentially, CCC researchers demonstrated that an attacker with physical access to the phone could take a picture or scan the fingerprints of the device's owner and use that to create a mold of the fingerprint to launch an attack.

"First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi," the researchers note. "Then the image is converted to black and white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi."

"To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material," CCC hackers explain. "The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."

The researchers also outlined another version of the attack, but said it was less reliable.

Apple did not respond to a request for comment.

Though the CCC criticized the use of fingerprint scanners for authentication and derided them as a technology designed for "oppression and control," Paul Zimski, Lumenion Security's vice president of solution marketing, says that the hack will probably not deter end users from leveraging the technology on their devices.

"Sure, it's not highly secure, but the average end user will most likely still use and rely on the scanner," Zimski says. "Trumping usability for security is somewhat of a universal constant in the consumerized world. If anything, this is also a good case for employing two-factor authentication."

There's an illusion of fingerprints as "some science-fiction thing" that is always highly accurate, says Michael Pearce, security consultant for Neohapsis. Unfortunately, he adds, that is not the case.

"They are problematic when used on their own to authenticate," he says. "Further, because fingerprint measurements are never exactly the same, the manufacturer needs to balance an error rate for both letting people in falsely and locking them out wrongly. When most of your fingerprint measurements are going to be legitimate users every time they pick up their phone, you're more concerned with the 9,999 times it's the right user than the one time it's the wrong one, and, as a result, you will lean on the permissive side if you want your product usable."

Ultimately, noted cryptographer Bruce Schneier argues, Apple is trying to balance security with convenience.

"This is a cell phone, not an ICBM launcher or even a bank account withdrawal device," he blogs. "Apple is offering an option to replace a four-digit PIN -- something that a lot of iPhone users don't even bother with -- with a fingerprint. Despite its drawbacks, I think it's a good trade-off for a lot of people."

Still, blogs Errata Security's Robert Graham, the notion that the hack is too much trouble is "profoundly wrong."

"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he blogs. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy -- you just need to try."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
9/26/2013 | 2:45:08 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
I agree that my phone is becoming something of a bank account withdrawal device, but to access those particular apps I need to type in another password. Of course, if someone is already willing to go through the trouble of duplicating my fingerprints, I doubt a alphanumeric password will stop them. But is a fingerprint an extra deterrent?

I think of this finger print scanner like The Club, the red metal lock drivers can place on their steering wheel to prevent car theft (popular in the 90's). They're actually "easy" to remove, but a would-be theft might be deterred by the extra effort.

An the end of the day, it is convenient, and I prefer to unlock my phone without hassle. For the majority of 5s users, it is just a cell phone...
rstewart921
50%
50%
rstewart921,
User Rank: Apprentice
9/25/2013 | 4:19:14 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
"This is a cell phone, not an ICBM launcher or even a bank account withdrawal device,"

Actually with all of the banking apps available and electronic payment features now and coming in the future it might as well be a "bank account withdrawl device."
gev
50%
50%
gev,
User Rank: Moderator
9/25/2013 | 12:53:40 PM
re: Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate
The four digit pin is not going anywhere any time soon.

I think the bigger problem for consumers will be the fact that their finger will not always be available - from cuts and burns to grease and sweat - many things will render a fingerprint reader unusable when we most need it.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...