Group gets around Touch ID by faking fingerprints


First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

Piece of cake, right? Context is important. While yes you can recreate a fingerprint, you still need to obtain that fingerprint. Which means you need physical access to the owner plus obtain the device. And of course successfully go through this process. Compare that to a simple four digit PIN and I'm not sure it's that big of security concern. If security is a top priority, a complex PIN should be used regardless.

When the Touch ID is defeated at a technical level, such as accessing the stored data or otherwise bypassed without mimicking a fingerprint, that will be news. I think the real advantage of Touch ID is not to be undefeatable security, but bringing basic security to the masses. Because it works so well and so easily, people who ordinarily have no PIN lock will now lock their devices.