The hacker community was awash with simultaneous excitement and horror after Apple announced that its new iPhone 5S would include a fingerprint reader for device unlocking. A group of security researchers on Twitter were so convinced that the sensor was vulnerable, they began offering up piles of cash, bitcoins, and booze to the first person who managed to crack it.
It turns out they were right. Just two days after the device hit store shelves, a member of Germany’s legendary Chaos Computer Club who goes by the name Starbug has posted the solution, which involves bypassing the biometric lock using a plastic transparency, a laser printer, and skin-tone latex milk.
In a YouTube video, Starbug shows himself setting the iPhone’s lock with his index finger, then unlocking it with a printed transparency attached to his middle finger. The method is a slight modification of one he first published 10 years ago.
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics,” said CCC spokesman Frank Rieger. “It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token.”
In a move that might’ve not happened before the Summer of Snowden, Apple took time during the new iPhone unveiling to reassure that fingerprint data is encrypted and stored locally on the device, and never sent to iCloud. That’s somewhat comforting for those worried about the U.S. government’s rapidly growing access to biometric data. But the CCC’s demonstration shows that, with a bit of preparation, the technology can indeed be spoofed—no severed fingers required.
Of course, there’s some legitimate skepticism over just how practical such a “hack” would be. Just because you can take a picture of someone’s house keys, or look over their shoulder while they punch in a PIN, doesn’t mean we should stop using either of those as access tokens. But fingerprints aren’t quite the same: For one, we leave them everywhere. And secondly, unless you’re the guy from Gattaca, you’re stuck with the same prints you were born with. Ultimately it depends on how easy it is to lift the prints of your target; the CCC is currently trying to demonstrate that in a video, which they say will be posted soon.
Contributors to the #IsTouchIDHackedYet contest, which was started by security researchers Robert Graham and Nick DePetrillo, are now set to pay out nearly $10,000 in cash and bitcoins, as well as a generous helping of alcohol and other prizes, to Raumfahrtagentur, a Berlin hackerspace spin-off of the CCC.* Another $10,000 was also pledged by Arturas Rosenbacher, a venture capitalist. But the offer was mysteriously rescinded at the last minute, with Rosenbacher claiming his assets aren’t liquid enough. Rosenbacher had been labeled a hoaxer during past run-ins with the Anonymous and Occupy Wall Street communities, and seems to have used the contest as a PR grab for his firm after representing it in a series of mainstream media interviews.
Before the CCC’s announcement, Bruce Schneier had noted that biometric technologies have indeed been spoofed in the past, using the gelatin mixture used to make gummi bears. In Wired, Marcia Hofmann* of the Electronic Frontier Foundation also pointed out that there are legal hacks for biometrics, too: If, for example, the police wanted to force you to unlock your fingerprint-secured phone, they might have less trouble doing so than if you had secured it with a PIN. The former only requires a physical action, while the latter requires you to reveal the contents of your mind, which runs up against Fifth Amendment protections against self-incrimination.
Unfortunately, Apple isn’t offering the option to unlock the device using a PIN plus fingerprint authentication, which seems like it would be a much safer option if the company is really set on using biometrics in its products. Although, if you’re that determined to use the feature, might as well use your cat.
*Corrections, Sept. 23, 2013: This blog post originally misidentified the group that will be receive the #IsTouchIDHackedYet prizes. It is Raumfahrtagentur, a Berlin hackerspace spin-off of the Chaos Computer Club, not the CCC itself. The post also misspelled the last name of the EFF’s Marcia Hofmann.