For the second time in two iPhone releases, mobile-security firm Lookout has tested and bested the security of Touch ID.
Touch ID lets users unlock the iPhone 5S, iPhone 6, and iPhone 6 Plus just by putting their fingerprint over a sensor on the home button. By requiring a fingerprint to unlock the device and make purchases within the App Store, with Apple Pay, or through third-party developers, Apple is trying to make your data and information more secure.
So what happens if it’s hacked?
Lookout’s principal security researcher Marc Rogers hacked Touch ID on the 5S last year, and now he’s done it again. Through a CSI-like process, he was able to unlock an iPhone 6 using a fake fingerprint made of glue.
With such a fingerprint facsimile in hand, an attacker could theoretically take over someone’s iPhone to make purchases or steal the owner’s photographs, email, texts or other personal information. It sounds like a plot from a prime-time crime drama—and so it’s probably only a matter of time until iPhone fingerprint hacks hit the big screen.
While the thought of someone accessing your phone with a copied fingerprint might make you uncomfortable, don’t worry. Accessing a device the way Rogers did takes significant skill, time and effort. And, as we reported last year, a malicious attacker can’t use a finger that’s, well, detached from your body.
Rogers says consumers shouldn’t worry too much about the potential for duping the system.
“I don’t see this to be a risk to consumers in any way because I don’t think criminals are sophisticated enough,” Rogers said in an email interview. “It is difficult to make these fingerprints—think of Touch ID as being the equivalent of a door lock. It’s there to stop the average criminal from getting access, or in the case of Touch ID, claiming they are you.”
Not only does a potential hacker need a clear print from their target that can be lifted by using super glue fumes and fingerprint powder, they will also have to get access to lab equipment to photograph, print, and then cast the fingerprint using chemicals and smearing it with glue. Unless you have access to a crime laboratory, the equipment is prohibitively expensive.
Through the experiment, Rogers discovered that there’s virtually no measurable improvement in the fingerprint sensors between the iPhone 5S and the iPhone 6, except that he got fewer “false negatives,” on the iPhone 6, meaning the reading was clearer.
Even though Rogers is impressed with the technology, he says Apple could do more to keep devices secure. Some improvements, he says, could include limits on the number of unlocking attempts a device will allow, a fallback to a passcode when the device hasn’t been used for a specific amount of time, and “best practices” suggested by Apple which may include using different fingers for different authentication.
“I was hoping to see improvements in the Touch ID sensor that show Apple is working to come up with a solution that cannot be fooled as easily,” he said. “However, while I can’t say Apple isn’t working on this, I don’t see any significant signs of improvement in this version despite the fact that it is now going to be used for payments.”
Lead photo by Selena Larson for ReadWrite; iPhone 6 and iPhone 5S image courtesy of Lookout