Ars expressed surprise on Monday that a hacker was able to bypass fingerprint protection less than 48 hours after its debut in Apple's newest iPhone, but not everyone felt the same way. The hack, carried out by well-known German hacker Starbug, required too much expertise and pricey equipment to make it practical, according to critics.
Marc Rogers, a security expert at smartphone security firm Lookout, was among the skeptics. After independently devising his own bypass of Apple's Touch ID, he concluded that it was anything but easy. "Hacking Touch ID relies upon a combination of skills, existing academic research, and the patience of a Crime Scene Technician," he wrote. Rogers went on to say that no one would know just how feasible Starbug's hack was until he released a step-by-step video and we learned more technical details.
We now have both. Heise Online has posted the video here, and it was enough to satisfy Rob Graham, a security expert who donated $500 to the first person to hack Touch ID. Ars has also heard directly from Starbug, who (like us and several security experts) was surprised by how little time and effort his bypass required.
It "was way easier than expected," he wrote in an e-mail. "I thought it would take at least a week and some fancy chip/bus hacking." It didn't require either.
What follows are his answers to questions Ars sent shortly after news of his hack broke Sunday night. The last question is a follow-up inquiry that came later. Because Starbug's first language is German and not English, some of his answers have been lightly edited for grammar and usage.
Was there something you wanted to prove by going after Touch ID? If yes, what was it, and how exactly does the hack go about proving it?
Like for the last 10 years, what I wanted to show is that there are no fingerprint systems that could not be fooled. But mostly I did it for the fun. Or in other words, because I can.
In the past, you've been critical of the way many people attempt to use fingerprints and other biometrics. Is that still the case? Why would you be critical of Apple? Touch ID isn't mandatory, and the fingerprint is just a substitute for a four-digit PIN.
I am not critical of Apple. The only thing you can [criticize] them [for] is that they have Touch ID advertised as safe, even though they knew that it would be hacked over [the] short or long [term]. Compared to no use of the safety PIN, fingerprint [scanning] is already a [benefit]. I think in general, the use of biometrics for automatic recognition of people [is] problematic, especially when, for example, face recognition is performed without using the human.
How long did it take for you to bypass Touch ID? Was there anything that you found hard or challenging about the hack? Was there anything about Touch ID that you think was well engineered or well implemented?
It took me nearly 30 hours from unpacking the iPhone to a [bypass] that worked reliably. With better preparation it would have taken approximately half an hour. I spent significantly more time trying to find out information on the technical specification of the sensor than I actually spent bypassing it.
I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.
The Touch ID is nevertheless a very reliable fingerprint system. However, users should only consider it an increase in convenience and not security.
How feasible is the hack that you came up with? Is it something anyone can do, or is it something that only talented hackers with a fair amount of skill and expensive equipment call pull off?
It's very easy. You basically can do it at home with inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs. And it will only take you a couple of hours. The techniques are actually several years old and are readily available on the Internet.
Many people said the sensor on Touch ID scanned fingers at a sub-epidermal level and that this would prevent fingerprint films like the one you used from working. That appears to have been wrong, correct? If so, why? What allowed your technique to work?
I wasn't actually able to find sufficient details on how the sensor works. I do assume they use sub-epidermal scanning. However, the scanned tissue is too similar to the upper layers of the skin. The most likely issue is the arbitrary threshold that Apple chose. They had to ensure that their setting works reliably, i.e. it shouldn't need to scan [a user's] finger twice because the sensor rejected the first attempt. Put simply, they chose usability and convenience over security. Hence, the fingerprint sensor can always be defeated as long as the materials used for the fake are sufficiently close to the characteristics of human tissue, and as long the scan of a high-resolution fingerprint is available.
It is also important to have in mind that personal devices like the iPhone are covered in fingerprints that can be used to produce a fake. Other everyday objects, such as glasses, fall into this category as well. The problem with your fingerprints is that you leave them everywhere. It's akin to writing your password on a post-it note and leaving it everywhere you go.
It seems like authentication in general is becoming more and more vulnerable. We see passwords and PINs becoming increasingly weak. Many people don't trust RSA's SecurID. Is there a form of authentication that you think is better than passwords, physical tokens, or biometrics? What is it? What needs to happen for it to become something people use to unlock their iPhones or log in to Gmail or other online services?
Passwords are no problem at all as long as they are long enough and someone had a look into the algorithms [used to store them] and their implementation. In fact, long, complex passwords, which can also be configured on iOS devices, offer a sufficient level of security. The problem is finding the right balance between convenience for the user and security. No normal person wants to be confronted with a 20-character password every single time they want to do something on their phone. On the other hand, today's smartphones contain a great amount of personal data where many would say that even a four-digit [PIN] is also insufficient.
Do you agree with what [Lookout security expert Marc Rogers] is saying in his blog post?
It's much easier. I guess the lifting is much less trouble than described. Best have a look at the video. I used just a scanner to lift the print of the thumb that enters the PIN. So the thumb left prints on the screen, and they could be easily lifted.
Listing image by Vimeo
reader comments
235