Security

Hackers successfully trick iPhone 5S fingerprint scanner with fake finger

Today, the Chaos Computer Club delivered yet another way to get around your new iPhone 5S’s Touch ID.

Apple introduced a special fingerprint sensor in its latest iPhone release that replaces the passcode as a “more secure” way of accessing your device. But nothing is perfect, as we all know. The “biometrics hacking team” of the Chaos Computer Club discovered that all you need is a glue model of someone’s fingerprint and you, too, can bypass the lock screen.

“This demonstrates — again — that fingerprint biometrics is unsuitable as access control method and should be avoided,” the group said in a blog post.

CCC explained that fingerprint biometric scanning is not a strong defense against unwanted people because we leave our fingerprints “everywhere.” If someone really wanted to get into the phone they could easily lift one of your fingerprints off of the phone’s surface and replicate it for future use. Of course, it takes a little more dedication to create an actual model of the fingerprint as opposed to just holding up a piece of paper.

In the iPhone’s case a piece of paper wouldn’t work because the sensors on the phone are higher resolution than you normally see. The CCC dealt with this by taking a picture of the fingerprint with a 2400 dpi resolution camera. The picture is then “cleaned up” on a computer and printed with heavy toner onto a transparent sheet. After that, the group smeared latex or woodglue on the sheet, let it dry, and then removed the latex which, at that point, had become a model of the fingerprint. The CCC says it breathes on the latex to make it moist and life-like, lays it over an existing finger, and then tries to open the lock screen. It published a video of this tactic working successfully, which you can watch above.

Last week we saw a less-intensive way to bypass the lock screen through a vulnerability in the calculator and timer apps. All you have to do is press the power button until the turn-off slider pops up, click cancel, double tap the home button, and then you’ve got access to some, but not all of the phone’s locked functions.

So, while it’s a stretch that your average user would be willing to go to these lengths to get inside your phone, keep in mind that not all locking mechanisms are fool-proof.