Apple iPhone 6 Touch ID Hacked
Biometric Fingerprint Reader Gets Faked Out by ResearcherThe biometric fingerprint scanner built into the latest generation of Apple iPhone smart phones can be tricked using a fake fingerprint created with glue, says Marc Rogers, principal security researcher at mobile security firm Lookout.
See Also: Ovum On the Radar: Mobile Smart Credentials Bolster Security While Streamlining Ux
Rogers tells Information Security Media Group that he was able to use a "cloned fingerprint lifted from a shiny surface and recreated using glue" to authenticate to an Apple iPhone 6. That repeated an attack technique he'd previously used to fool the fingerprint reader - dubbed Touch ID - that was built into the home button on the iPhone 5S, which was the first Apple device to feature a biometric fingerprint scanner.
The difference between last year's iPhone 5S and the new iPhone 6, however, is that the Touch ID scanner in the latest generation of devices can be used to authenticate Apple Pay transactions, as well as access personal health information stored in the phone's dedicated Secure Element security chip. In other words, anyone who can fool the device, using a fake fingerprint, might then be able to use the device to commit fraud, as well as access sensitive personal information.
Apple didn't immediately respond to a request for comment about Rogers' report that he had bypassed Touch ID using a faked fingerprint.
Rogers says he isn't surprised that he was able to fool the new Touch ID scanner, just one year after faking out the first version. "Fingerprint sensors have been vulnerable for a long time and it is a very hard problem to solve," he says. "However, I was a little surprised to see that there were no significant signs of improvement."
But Rogers says he's dismayed Apple doesn't appear to have significantly advanced its fingerprint-reading security checks in the past year. "I was hoping to see improvements in the Touch ID sensor that show Apple is working to come up with a solution that cannot be fooled as easily," he says. "While I can't say Apple isn't working on this, I don't see any significant signs of improvement in this version - despite the fact that it is now going to be used for payments."
On the upside, however, the newer Touch ID hardware appears to have a much lower false-negative rate, meaning it rejects fewer real fingerprints, Rogers says. That likely stems from the new Touch ID sensors scanning at a higher resolution than before, he says. The improved hardware likely also explains why he found that fake fingerprints must be of higher quality to fool an iPhone 6 Touch ID sensor, compared to the iPhone 5S.
"To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it," Rogers says. "None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just 'lift your fingerprint' from the phone's glossy surface and unlock the device." He posted a YouTube clip demonstrating how his attack works:
Touch ID Hack: Not Surprising
Payment security expert Neira Jones says she's not surprised that a researcher was able to fool Touch ID. "Everything is hackable, so when it comes to protection, fraud prevention, cybersecurity, information security, risk management - whatever way you want to call it - it all amounts to the same thing: It is not about relying on one technology, it's about having layered defense," Jones says in an interview at the London Fraud Summit, hosted Sept. 23 by Information Security Media Group.
"It all comes down to, how cost-effective is it for criminals to exploit such vulnerabilities, are they going to do it, and is it sufficient using just that one factor to actually do something that will amount to economic crime or something nefarious, and how quickly is Apple going to fix it?" she says.
User-Configured Security Rules
For example, Apple could develop some type of adaptive or risk-based authentication system for devices, such as to detect if users are attempting to authorize an unusually large payment via Apple Pay. While Rogers says he's a fan of that idea, he notes that any false negatives created by such a system could undercut Apple's reputation for creating an excellent user experience, and would thus likely make the company shy away from that approach.
Instead, however, Apple could allow users to configure some of these rules themselves. "For example, users could opt to prevent authentication when the user enables 'do not disturb,' until they turn it off and enter a passcode," he says. "Or Apple could allow the users to define times and places when stronger security is necessary." Either approach would make the iPhone harder to hack, no matter whether Touch ID got spoofed.