The fingerprint reader on the iPhone 6 can be fooled by the same trick that unlocks the iPhone 5S — but it didn’t have to be that way.
There’s a lot that’s new in Apple’s just-released iPhone 6, but one feature hasn’t changed: Faked fingerprints can still fool the Touch ID fingerprint sensor.
Security on the Touch ID fingerprint reader has been tightened, but only marginally, said Marc Rogers, chief security researcher at Lookout Mobile Security.
“I don’t think people need to worry just yet, but there are distinct flaws that could lead to problems down the line,” he told CNET. Rogers wrote in a blog post that he was able to use the same low-budget technique to fake fingerprints and unlock the iPhone 6 as he did when he became one of the first researchers in 2013 to hack Touch ID on the iPhone 5S.
“Sadly there has been little in the way of measurable improvement in the sensor between these two devices,” he wrote. “Fake fingerprints created using my previous technique were able to readily fool both devices.”
Apple did not respond to a request for comment.
When Apple first introduced the Touch ID fingerprint reader as an added security measure in theiPhone 5S, security researchers quickly demonstrated that a decade-old technique could be used to spoof a fingerprint and unlock the phone. In 2002, Massachusetts Institute of Technology engineering professor Tsunetomo Mastumoto demonstrated (PDF) how fingers coated in a gummy substance like Elmer’s glue could be used to lift and replicate fingerprints.
A coming wrinkle to the situation is that Touch ID is about to become the security touchstone for Apple Pay, a system that uses the iPhone 6‘s new near-field communication chip and credit card management software with Touch ID to allow people to use their iPhones in place credit cards. Touch ID will be required to unlock Apple Pay, which is expected to open to the public sometime in October.
Rogers said, “Turning the phone into a giant credit card, who knows what criminals will do to make it work?”
Although he was careful to reiterate that he’s still a fan of Touch ID because hacking it “requires skill, patience, and a really good copy of someone’s fingerprint,” he was disappointed that Apple didn’t make it better.
“AuthenTek [the firm Apple bought for its fingerprint reading technology] had scanners that were capable of looking deeper into the finger, so that they could look past a fake fingerprint. I would’ve liked to see that implemented,” Rogers said. He added that although Apple wants as simple a payment system as possible, to make it as attractive to consumers as possible, since the system involves credit cards it would be better protected by Touch ID and a second authentication factor — such as a PIN, password, or pattern.
Even if adoption of Apple Pay is slow, as some people are expecting, history shows that hackers often go where the money is, and that could make the Touch ID a hot-button item indeed.
- Measuring Apple Pay’s success: Give it years, not months
- How to organize Share Sheets in iOS 8
- See inside the iPhone 6 and 6 Plus with new teardown
- How to use widgets on iOS 8
- Getting to know Apple’s new Family Sharing feature
- Apple’s Tim Cook: Innovation ‘alive and well’ at company
- iOS 8 brings big boost for Web programmers
- Find My iPhone has a new trick in iOS 8
- How to free up space on your iPhone to make way for iOS 8
- Three tips for Safari on iOS 8