The Mac Security Blog

Apple

Good News! Apple’s TouchID Sensor Hacked

Posted on by

TouchID-Hacked

Early this weekend, the Chaos Computer Club (CCC) found a way to bypass the fingerprint scanner in Apple’s TouchID, by creating a high-resolution picture of the user’s fingerprint to create a fake finger that could be used to unlock the device. As of this morning, the video submitted by the CCC has been accepted as proof of the hack, so if you’ve been keeping track: Yes, TouchID Has Been Hacked. This of course means the folks in the CCC will be getting a nice payday for their efforts, including a bit of money and perhaps a round of celebratory booze!

There has been quite a bit of press as a result of this hack with claims that the TouchID is useless, including the announcement by the CCC, which called biometrics “unsuitable” and “just plain stupid.” The Chaos Computer Club goes on to describe why they consider this to be the case, and they use some good reasoning, I might add. Frank Rieger, spokesperson of the CCC, said the following:

We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.

Obviously, in certain contexts, this is entirely true. However, this assumes that security must be bulletproof (or nearly so) in order to be useful at all. As we’ve said before, we don’t find this to be the case.

While I have seen plenty indicating that Apple said TouchID is more sophisticated than old-style fingerprint sensors, I have yet to see something that said it was foolproof. In that link, Apple describes pretty clearly what they’re going after: people who don’t use a passcode at all, and people who use lousy passcodes. As far as that goal goes, TouchID is every bit as good as it was a week ago. (It’s interesting to note in hindsite that they also gave a pretty good clue to the secret of the technology’s improvement: It’s got super-fancy resolution.)

TouchID was never meant to protect people against highly determined adversaries. It’s meant to scoot another few people into using some sort of authentication technology to lock their phones, so the devices won’t be such a tempting target for thieves. In this regard, they win, hack or no. But in my mind, the biggest potential win is that this may prompt Apple to move more quickly to allow people to use a combination of passcode and fingerprint scan. Bring it on!