Germany’s Chaos Computer Club has announced that, as we all thought, biometric data is not safe.
In a video posted by the group, a fake fingerprint is used to unlock one of Apple’s new iPhone 5S devices, and it only took them two days to post the video from release.
In a post on their site, the group says that their biometric hacking team took a fingerprint of the user, photographed from a glass surface, and then created a "fake fingerprint" which could be put onto a thin film and used with a real finger to unlock the phone.
"This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided," said the Chaos Club’s blogpost author, "Starbug".
"In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
The group does not claim to have extracted the fingerprint representation from the phone itself, where Apple says it is held on a secure chip. Instead it relies on capturing a high-quality fingerprint elsewhere, and having access to the phone.
"Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn’t depend upon it if you have sensitive data you wish to protect," said security specialist Graham Cluley on his website grahamcluley.com.
This marks the THIRD security failure for Apple since its release of iOS7 just a few days ago. The first being the ability to access iOS7’s Control Centre Feature to access photos and send emails, and the second being the ability to dial any number from the emergency call screen, meaning the phone needn’t be unlocked.
The Chaos Club details its methods for the fingerprint hack, which begins with a high-quality fingerprint lifted from a glass, doorknob or glossy surface. The print, which consists of fat and sweat, is made visible using graphite powder or a component of superglue, and then photographed at high resolution to create a 2400 pixel-per-inch scan. That is then printed onto an overhead projector plastic slide using a laser print, forming a relief. That is then covered with wood glue, cut and attached to a real finger.
Apple introduced Touch ID on its premium-priced iPhone 5S earlier this month. The technology users a scanner in the home button to take hi-res images from small sections of the fingerprint from layers of skin. Apple says "Touch ID then intelligently analyses this information with a remarkable degree of detail and precision."
Users can choose to use up to five fingerprints – which can be changed – to unlock the phone and optionally pay for iTunes Store purchases. They have first to create a passcode of at least four digits, and then "enrol" fingerprints separately. Apple says that this data is only stored on the phone.
Apple’s own notes about its Touch ID system on its site say that Touch ID will incrementally add new sections of your fingerprint to your enrolled fingerprint data to improve matching accuracy over time. Touch ID uses all of this to provide an accurate match and a very high level of security."
The company says that "Every fingerprint is unique, so it is rare that even a small section of two separate fingerprints are alike enough to register as a match for Touch ID. The probability of this happening is 1 in 50,000 for one enrolled finger. This is much better than the 1 in 10,000 odds of guessing a typical 4-digit passcode. Although some passcodes, like "1234", may be more easily guessed, there is no such thing as an easily guessable fingerprint pattern."
It notes that after five unsuccessful attempts to match the fingerprint, the user has to enter their passcode, and the fingerprint unlock will not work.
In this feature, I detailed some of the flaws that fingerprint security and biometric data have in consumer use…and sure enough, here we are with evidence of how easy it is to get into the new 5S. Okay, it’s a little time-consuming for the average person but for a deicated thief of someone who needs your sensitive data, as long as they collect your fingerprints clandestinley beforehand, they could access your phone in a matter of seconds – perhaps before you can even remotely shut it down.
There has yet to be a test posted online seeing how the Touch ID technology fares in wet conditions or with a damaged finger, but I’m sure it won’t be long at all.