Blog Entry For 24/9/2013

Apple's Touch ID Cracked

The gauntlet was thrown down, and the prize fund secured.

As a little background, a micro venture capital firm funded jackpot (bit of a mouthful) was offered for any proof that Apple's new and highly prized fingerprint system , aka TouchID, was fallible. Certainly the challenge alone was bound to provide an interesting response, and proof has been supplied to satisfy a substancial payout. The solution, curiously, involves access to an original print from which a high resolution latex or woodglue copy can be made. Simple application is all that is required to trick the scanner into unlocking the phone. Seems surprisingly and unexpectedly easy. I'm rather disappointed.

What I find curious, given the publicity in the run up to the launch of the iPhone 5s and it's innovative fingerprint reader, was the emphasis on the sensor specifications. The secret sauce was a sensor 170 microns thin that, as well as optical scanning at 500ppi, also employed capacitive sensing in additon to the scanning of sub-dermal patternation. The idea was that, given the intricacy and combination of metrics measured, it should prove quite difficult to circumvent.

So the question in my mind is how such a crack manages to foil the cacpative and sub-dermal metrics of the sensor. According to the details so far, the foil fingerprint can be a simple latex or woodglue copy. It would be a curious turn of events if either substance, coincidently, provides a similar capacitative profile to that of skin.

What is certain is that recent events will be a unwelcome embarassment for Apple. Their response shall be interesting, and no doubt board meetings will be taking place as we speak before release of a careful, PR crafted response. Personally I'm hoping for a positive response, and to see Apple take it on the chin in good humour, and to work on bringing out version 2.0. However it plays out over the coming weeks, it certainly seems the world of biometric security has sustained an unwelcome blow.

9/24/2013 Tags: apple 5s touch id cracked

Post Comment

Your Name

Comment

Please provide an answer to the following: Captcha

Comments: 6

Posted by Chris I do hope they come out with a version 2. There are certainly some interesting security issues surrounding the 5th amendment it could address. Forcing verbal disclosure of a pin cf. physical unlocking is an interesting legal area. I still want one :-)
Posted: 9/24/2013 12:42 AM

Posted by Chris I might do that, leave plenty room for Apple boyz :-P Interesting points you brought up. I got the feeling it was certainly a step up in the status quo. Given the money, I wish I had taken an afternoon out to give it a shot. Ah, hindsight.
Posted: 9/24/2013 12:40 AM

Posted by Michael ( I realise these comments read backwards. You should increase the character limit :P )
Posted: 9/24/2013 12:35 AM

Posted by Michael In any case, once jailbreak vulnerabilities are found, most iPhones can be burst open by simply connecting them via USB and clicking a button to obtain root access. Android devices are no different. Touch ID is 'enough', and if millions more secure their devices as a result, I think Apple board meetings will very much deem that a success. :)
Posted: 9/24/2013 12:35 AM

Posted by Michael What is weak, is the likely millions of simply unsecured devices because having to enter a code poses too large an inconvenience for the average user. Touch ID gives a very high level of security, with almost zero inconvience for the user. It doesn't stop a very determined individual obtaining access, but it's miles better than anything we currently have in mobile devices. Yes you can crack it, but pouring funds into making it much more secure would be pointless.
Posted: 9/24/2013 12:34 AM

Posted by Michael I think you're missing the point. The objective was to provide a 'reasonably high' level of security, whilst simultaneously greatly reducing the inconvenience caused by any kind of passcode. The fact that any 4 digit passcode is relatively 'easy' to crack does not make it weak security. In the majority of cases its a reasonable enough deterrant to avoid having someone access your phone data.
Posted: 9/24/2013 12:34 AM