Biometrics are not safe, says famous hacker team who provide video showing how they could use a fake fingerprint to bypass phone's security lock screen
An Apple employee instructs the use of the fingerprint scanner technology built into the company's iPhone 5S. German hackers say they can beat it. Photograph: Ng Han Guan/AP
Charles Arthur
Germany's Chaos Computer Club says it has cracked the protection around Apple's fingerprint sensor on its new iPhone 5S, just two days after the device went on sale worldwide.
In a post on their site, the group says that their biometric hacking team took a fingerprint of the user, photographed from a glass surface, and then created a "fake fingerprint" which could be put onto a thin film and used with a real finger to unlock the phone.
The claim, which is backed up with a video, will create concerns for businesses which see users intending to use the phone to access corporate accounts. While it requires physical access to the phone, and a clean print of one finger which is one of those used to unlock the phone, it raises the risk of a security breach.
"This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided," said the Chaos Club's blogpost author, "Starbug". "In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake. As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
The group does not claim to have extracted the fingerprint representation from the phone itself, where Apple says it is held on a secure chip. Instead it relies on capturing a high-quality fingerprint elsewhere, and having access to the phone.
"Relying on your fingerprints to secure a device may be okay for casual security – but you shouldn't depend upon it if you have sensitive data you wish to protect," commented security specialist Graham Cluley.
Apple did not respond to a request for comment on the hack.
The revelation is the third security failing discovered since the phone and its iOS 7 software were released last week. First, a hacker found that they could use a flaw in iOS 7's Control Centre feature on the iPhone 4S and 5 to access photos and send emails. Another found that the Emergency Call screen can be used to place a call to any number.
The Chaos Club details its methods for the fingerprint hack, which begins with a high-quality fingerprint lifted from a glass, doorknob or glossy surface. The print, which essentially consists of fat and sweat, is made visible using graphite powder or a component of superglue, and then photographed at high resolution to create a 2400 pixel-per-inch scan. That is then printed onto an overhead projector plastic slide using a laser print, forming a relief. That is then covered with wood glue, cut and attached to a real finger.
Apple introduced Touch ID, as it calls the fingerprint system, on its top-end iPhone 5S, unveiled earlier in the month. The technology uses a scanner built into the home button of the phone to take a high-resolution image from small sections of the fingerprint from the sub-epidermal layers of the skin. Apple says "Touch ID then intelligently analyses this information with a remarkable degree of detail and precision."
Users can choose to use up to five fingerprints - which can be changed - to unlock the phone and optionally pay for iTunes Store purchases. They have first to create a passcode of at least four digits, and then "enrol" fingerprints separately. Apple says that the process creates a mathematical representation of the fingerprint representation, and that it is only stored on the phone.
Apple's own notes about its Touch ID system on its site say that Touch ID will incrementally add new sections of your fingerprint to your enrolled fingerpri
No comments:
Post a Comment