This weekend's decisive defeat of Touch ID is the most poignant reminder yet of the significant limitations of using fingerprints, iris scans, and other physical characteristics to prove our identities to computing devices. As previously reported, a team of German hackers who have long criticized biometrics-based authentication bypassed the new iPhone feature less than 48 hours after its debut.
Many security researchers and writers, yours truly included, predicted that the ability of the high-definition scanner included in the iPhone 5S wouldn't be fooled by attacks using scanned fingerprint smudges to impersonate an already enrolled thumb or finger. It's now clear we were wrong. Hacker Starbug overcame the purported ability of Touch ID to read prints at a sub-epidermal level by using a slightly higher resolution camera to generate a cloned fingerprint. The availability of a laser printer also seemed to help.
Some critics have castigated the technique as too difficult for the average hacker. Others have argued that the hack has little significance in the real world. They cite Apple talking points that the protection of Touch ID represents a significant improvement over what many people have now, since a large percentage of iPhone users currently use no PIN at all to lock their phones. There's some merit in this second argument, since any protection, no matter how flawed, is better than none at all. But as Rob Graham, CEO of penetration testing firm Errata Security makes clear, Starbug's technique is easy for many people to carry out.
"Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator hired by your former husband," he wrote in an e-mail to Ars. "Or the neighbor's kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy—you just need to try."
Graham later posted his comments on his blog.
As Ars pointed out last week, there's little we can do to keep our fingerprints and other physical characteristics private. They leak every time we touch a door knob, wine glass, or ATM. And that calls into question whether Touch ID is a truly "secure" way to unlock phones, as Apple's own press release announcing the new feature claimed. That's not to say there aren't things people can do to limit the leakage, though.
Graham is one of the organizers behind istouchidhackedyet, a bounty program that pledged cash bounties to the first person who could override the new feature, which allows people to unlock their iPhones using one or more fingerprints. He told Ars that he's still waiting to see a detailed video that documents the hack from start to finish, but at this point he's satisfied that Starbug has met the requirements for the cash prize. He estimated the amount at about $10,000, after at least one of the people who pledged a bounty reneged on the promise.
As Ars pointed out last week, the security of iPhones would improve dramatically if Apple allowed users to unlock iPhones only after producing a valid PIN and fingerprint. This would make the iPhone a truly two-factor device, and Apple's decision not to provide the option is a missed opportunity. Given Apple's long history of removing clutter from menus and user interfaces, it seems unlikely that this option will ever be available.
For those who continue to use Touch ID, Graham suggested a simple step for minimizing the success of Starbug's attack: use only pinky or ring fingers to unlock your device. He said most prints left on glasses, iPhone screens, and other surfaces are from thumbs and index fingers. Enrolling a pinky or ring finger won't completely foreclose attacks like the one developed by Starbug, but it will require an attacker to work much harder to succeed.
reader comments
155