Industry Trends

TouchID - Day 2 (CCC Successfully Defeats Sensor)

By Richard Henderson | September 22, 2013

The wizards at the Chaos Computer Club have publicly claimed to have defeated Apple's new TouchID sensor on the new iPhone 5s.

Watch the short video they've posted online to start:

So, how did they do it?

They started with a fingerprint on glass, then using the superglue vapour method (which has been around a long time, and often used by law enforcement), were able to augment the print enough to allow it to be photographed at high resolution.

After some image manipulation on the computer, the "cleaned up" print was then printed at a high resolution onto a laser transparency.

Finally, they coat the print in wood glue to create a fake, which is able to successfully fool the scanner.

They offer a complete run-down of the process here.

Their full press release can be read here.

What does this all mean? Based on what I've read, discussed and experimented myself:

  1. TouchID most definitely does not require a "live" finger. I was able to prove this myself by enrolling and unlocking the phone with a gelatin finger. The mechanism for detecting if a print is alive is simply a capacitance test in the steel ring around the sensor.

  2. The new sensor is remarkably precise. At its purported 500 ppi resolution, a lot of basic fingerprint molding techniques no longer pass the acid test.

  3. TouchID, as it currently stands, is simply a convenience tool, not a security tool. It certainly does work, and work well, but you should not rely upon it to protect the digital assets on your phone.

  4. Apple needs to push out an iOS update that allows users of TouchID to further secure their devices by enabling proper two-factor authentication with both a scan AND a passcode.

  5. Never underestimate the determination of the hacker community.

Congrats, CCC!

**Update 1 (22 Sep 14:00 PDT): ** Below I'll post some more thoughts and pictures about what I've done so far, and what's next.

After my initial failures (not being able to successfully bypass the sensor with a dummy print) and successes (proving the sensor CAN be fooled by a dummy print - see my video below successfully enrolling a fake print and then unlocking it), I went out in search of more supplies to continue the research.

1 prep

I made a bunch of new molds: 3 molds

Tangent: Sodium Alginate + sock = don't put that in the wash... not unless you want to clean out gelled alginate from the washer for a year. 2 whoops (...and yes, I know: sandals and socks?)

Here are my first set of gelatin prints poured and setting:

4 poured

Some molds didn't want to release the print easily:

5 model magic

After some careful peeling:

6 model magic cleaned

One issue with making gelatin prints is that you must be quick and steady on your pour - I was using squeeze bottles to pour, and the gelatin had already started to set, leading to a flow disruption. This caused a common problem in injection molding - what's known as flow lines.

7 bad pour 8 bad pour 2

So those weren't going to work.

Re-molded my thumb, and the clay molds came out pretty fine-detailed: 9 remold 1 10 repour 2

Both the guar gum and xantham gum were failures: 11 no go 12 no go 2

The sodium alginate, which is often used to cast prosthetics and such, didn't come out how I'd hoped; I plan on trying this one again today to see if I can improve it. It's also possible that I shouldn't be using pure alginate; I believe some of the alginate casting kits out there include some other chemicals. 13 sodium alginate

I repoured the two clay molds, and got some fantastic dummy fingers out of them: 14 repour 15 repour result 1 16 repour result 2

But in the end, nothing would bypass the phone's sensor.

What's certain here is that the sensor is very accurate and sensitive - these older methods of duplicating a fingerprint just don't provide the minute detail that's needed to create a reasonable facsimile of the print.

I plan on moving onto both CCC's glue method and a slight variation of the PCB etching method to independently verify it works; as I imagine others are (or already have). My suspicions and thoughts about it were pretty accurate: it's all about the resolution.

I had genuinely hoped we were seeing something new and fresh here that was defeating any attempt to bypass the sensor, but it appears that TouchID, while being a very good sensor, isn't particularly innovative in its operation.

Join the Discussion