Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple's Touch ID already bypassed with established 'fake finger' technique

Last updated

A hacker group in Germany claims to have defeated Apple's new Touch ID biometric security system by using a modified fingerprint lifting and "fake finger" creation technique.

In a post to its website on Sunday, the Chaos Computer Club claimed to have bypassed the iPhone 5s' Touch ID sensor hardware, just two days after the smartphone was released on Friday.

According to a detailed walkthrough of the bypass provided by the group's biometrics hacking team, the iPhone 5s' Touch ID hardware is, in effect, merely a higher resolution version of existing sensors. This means the system can be defeated using common fingerprint lifting techniques, albeit at a more refined level.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said a CCC hacker nicknamed Starbug. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

While the process is somewhat complex, the thinking behind it is straightforward. In this case, a high-resolution 2400 dpi photo of a user's fingerprint was harvested from a glass surface using graphite dust or cyanoacrylate (the main ingredient in Super Glue) and a camera. The resulting image was cleaned up and inverted with photo editing software, then laser printed at 1200 dpi onto a transparent sheet.

To create the fake fingerprint, pink latex milk or white wood glue is laid over the printout and allowed to set. Once cured, the dummy can be peeled off the transparency, breathed on to produce a thin layer of moisture, and applied to a finger. This will grant access to a Touch ID protected device, CCC claims.

A video of the unlocking process was uploaded to YouTube:

"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said CCC spokesman Frank Rieger. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."

It should be noted that Apple never claimed Touch ID was a new technology, nor did the company say the method was foolproof. As seen above, there are many caveats in the production of a "fake finger," from latent fingerprint quality to digitization and printing. In addition, a would-be thief would need access to the iPhone itself after the fake is produced.

Also not taken into account is Apple's Find My iPhone app, which allows a lost or stolen phone to be wiped remotely. This leaves the window for breaking into the 5s very small, and would likely thwart all but the most dedicated criminals.

Apple's Touch ID is the company's first attempt at including a biometric security method in its consumer products. The technology comes from AuthenTec, a biometrics firm specializing in fingerprint hardware, that Apple purchased in 2012 for $356 million.

The extent to which Apple plans to incorporate biometric technology is unclear, though as it stands, Touch ID is used to unlock the iPhone 5s and make iTunes purchases. Third parties do not have access to the sensor's API, but that may change if the tech becomes a larger part of the iOS ecosystem.



330 Comments

droidftw 11 Years · 1009 comments

Anyone with a level head probably realized the TouchID system would be defeated in quick order. That said, it still may still prove to be an effective deterrent for crimes of opportunity (which I'd imagine most phone thefts are). Only time will tell.

ceek74 12 Years · 324 comments

I'm pretty sure I don't recall Apple ever saying it was uncrackable. But it sure does beat havin to enter a PIN or password away too often.

wings 21 Years · 261 comments

By the time a thief steals my phone, and SOMEHOW also gets my fingerprint (OK, maybe there's one unsmudged print left on my phone, but odds are 1-in-10 that it's my recorded print), and scans it at 2400dpi, prints it with a good printer at very high resolution, puts a layer of latex over it and WAITS for that to dry, I will have already set a passcode and/or wiped the phone. Not to mention I have activation lock enabled so he (or anyone he sells it to) would need my passcode to activate it. Not worried. It's more than enough protection for little ole me.

rogifan 13 Years · 10667 comments

Let me guess...this CCC outfit as an agenda and will use Apple to further it.

ericthehalfbee 13 Years · 4489 comments

Is there a complete video from beginning to end? Without seeing the steps involved it's kinda pointless. Anything can be hacked. It's whether the time and effort to perform the hack are worth the end result (getting access to a phone). Creating a fake finger to open a safe or get access to a secure area might be worthwhile. I really doubt anyone would go through the effort to get the data that's on your phone.