Apple's Touch ID fingerprint scanner still hackable says Lookout

News by Steve Gold

Touch fingerprint ID: still hackable on the iPhone 6 and not noticably more secure.

Apple was embarrassed last year when the Chaos Computer Club - and several research firms - successfully hacked the Touch ID fingerprint scanner on the iPhone 5S. But despite the 5S problem being patched, it seems that the new iPhone 6 also suffers from the same vulnerability.

The iPhone 5S Touch ID insecurities were investigated last September by Marc Rogers, Lookout's principal security researcher, as the story began to break.

This time around - as with the iPhone 5S - Rogers' modus operandi was to use a fake fingerprint made of glue and, although he concedes the process took him a great deal of skill, time and effort, he says the process is repeatable with a high degree of success.

To succeed, Rogers says that iPhone 6 attackers need to use a clear fingerprint from their target that can be lifted by using superglue fumes and fingerprint powder. They should then use lab kit to photograph, print, and then cast the fingerprint using chemicals and smearing it with glue.

From his experiments, Lookout's principal security researcher says that there has been no measurable improvement in the fingerprint sensors between the iPhone 5S and the iPhone 6.

"That said, I cannot help but be a little disappointed that Apple didn't take this chance to really tighten up the security of Touch ID. Especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments," he said in his analysis.

According to Rogers, convenient authentication for transactions is a great thing that could both improve user experience and security.

"However, it also brings attention from people looking to exploit those transactions and more transactions means more incentive. If Apple is not careful they could solve one problem but create another," he explained.

Bob Tarzey, an analyst and director with Quocirca, was equally unimpressed with Apple's Touch ID insecurity, although he noted Rogers' comments about the attack vector being complex.

"Thieves do not like to make lives too hard for themselves, so even if the Touch ID fingerprint reader on the iPhone 6 can still be hacked, it is a lot of effort to go to compared to chasing easier targets such as actual payment cards," he said.

"Being in possession of both someone's mobile phone and having the wherewithal and opportunity to lift good enough fingerprint copies is still a long shot, and using stronger authentication to raise barriers is a good thing even if small vulnerabilities remain," he added.

Sarb Sembhi, a director with Storm Guidance, said that Apple's continuing problems with its Touch ID technology are almost certainly the result of a failure to develop a risk model and threat model for the iPhone 6 family.

"You have to go back to basics with this. With these models you can iron any problems at the development stages, rather than after the handset has shipped. It seems like they have patched up the previous unit, rather than starting from scratch," he explained.

Sembhi, who is a leading light with ISACA, the not-for-profit IT security association, went on to say that one of the causes of the security problem with the iPhone's fingerprint security technology is that much of its supply chain is outsourced.

"Having said that, an effective risk model would have helped to resolve this situation. The old adage that you can outsource the work, but you cannot outsource the risk, applies in this case," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews