The Chaos Computer Club (CCC) posted that they had been able to deceive the TouchID sensor of the iPhone5s one day after its release.
The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
My first question when I saw this originally was how reliable was this process. How many attempts to create the fake failed first? How often does the fake work? As I am writing this today I see that the article has been updated with a clarification about the poor reliability of this process and has detailed a more difficult process using PCB (Printed Circuit Board) etching materials.
The process described above proved to be somewhat unreliable as the depth of the ridges created by the toner was a little too shallow. Therefore an alternative process based on the same principle was utilized and has been demonstrated in an extended video available here. First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-senistive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use.
Still something that is accessible, but not something the average person is going to have about the house or be familiar with using. Will the FBI now start flagging purchases of PCB etching materials?
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, spokesperson of the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.” Fingerprint biometrics in passports has been introduced in many countries despite the fact that by this global roll-out no security gain can be shown.
I’ve had my iPhone5s for a few days now and use TouchID. Does it make my iPhone totally secure? No. I was under little illusion about that anyway - no-one who has ever worked in software development should think that. But it lets me use my iPhone as though it wasn’t locked, but still providing the peace of mind that someone who chances by my unattended iPhone can’t just use it without my permission. Bypassing it requires premeditation, preparation and time.
What I find more interesting is CCC’s general claims about biometrics and the relative ease that fingerprint scanners can be deceived. And that the tutorial that they point to is from 2004. So it’s not like they did anything special or new. It makes the whole biometrics industry look like shysters.
In a way it’s like how locking your house only keeps the honest people out. The dishonest ones will just break a window. Except you inadvertently leave images of your house keys everywhere you go which dishonest people can use to reproduce your keys and just unlock the door.
However news outlets will actually run this story because it has “Apple” in the headline, so maybe it will get some penetration of mainstream consciousness this time. Or will everyone have forgotten in a month?