Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

Over the weekend, the Chaos Computer Club announced that it had bypassed Apple’s Touch ID sensor using a photograph of a fingerprint to create a fake fingerprint model.

The full fingerprint emulation process has now been detailed in a new video from CCC member Starbug and replicated by security expert Marc Rogers, who believes the average consumer has nothing to worry about.


As seen in the video, the CCC uses a fingerprint taken from the screen of the iPhone 5s and then uses a complicated multi-step process to convert it to a usable print. According to Starbug, who spoke to Ars Technica, the process "was way easier than expected," taking just 30 hours to complete.
I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

The Touch ID is nevertheless a very reliable fingerprint system. However, users should only consider it an increase in convenience and not security.
While Starbug suggests that the hack is "very easy" and can be completed with "inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs," Marc Rogers, who also completed the bypass, disagrees, noting that it requires "over a thousand dollars worth of equipment."touchid
But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.
Rogers goes on to explain the process, which requires an unsmudged, complete print of the correct finger and a way to “lift” the print using cyanoacrylate (super glue) fumes, fingerprint powder, and fingerprint tape. The lifted fingerprint must then be photographed, edited, and printed onto transparency film, where it is converted to a usable fingerprint via a PCB board or a laser printer.

Even when all of these steps are created, using the fake fingerprint was "tricky" and prone to failure.
So what do we learn from all this?

Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it.

However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.
With Touch ID able to be bypassed through a fake fingerprint, it remains unclear how the system functions. According to Apple, the sensor uses advanced capacitive touch and takes a high-resolution image from the “sub-epidermal layers” of skin, a process that, theoretically, should render a fake fingerprint useless. Starbug speculates that this is due to Apple's desire for usability over security, noting that the sensor will be defeated if the fake fingerprint is "sufficiently close" to the characteristics of human tissue.

Since its release, Touch ID has been the subject of much scrutiny. Senator Al Franken has sent a letter to Tim Cook asking a number of questions about the security of the system and the exact fingerprint storage process, and Apple has published an extensive knowledge base article about the benefits of the Touch ID system to alleviate some consumer concerns.

Related roundups: iPhone 5c, iPhone 5s, iPhone 6

Top Rated Comments

(View all)

7 months ago
I'm just not that important for someone to go through all that trouble to fake my fingerprint. I'll continue to use Touch ID. It works fine for what I use it for.
Rating: 43 Positives
7 months ago

If we could just add a short password and use TouchID then I think everything would be more secure.


No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...
Rating: 25 Positives
7 months ago

It's just not save enough.


It frign save i promis
Rating: 22 Positives
7 months ago
Before people say:

"I can't believe it! Anyone can hack my iPhone with thousands of dollars worth of stuff like an image scanner, a laser printer, and a kit for etching PCBs, all in only 30 hours!?

Touch ID is a failure!!! :mad:"
Rating: 22 Positives
7 months ago
use your nipples instead.
Rating: 20 Positives
7 months ago
They didn't 'bypass' anything.

Grow up mac rumours.
Rating: 20 Positives
7 months ago

No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...


Why not give the option?
1. Passcode only
2. TouchID only
3. Passcode and TouchID

Everyone has different needs, and the three options above should satisfy more people than the two options available now.
Rating: 18 Positives
7 months ago
not withstanding the fact that the hack is supposedly "very easy," even this expert took 30 hours to complete the hack...In a real life situation, the phone would have been wiped by then. now if it took 30 seconds, then maybe there's something to worry about
Rating: 14 Positives
7 months ago
I've worked with Marc plenty in the past. I'd agree that the average consumer has nothing to worry about.

Funny how people get up in arms about this but they didn't care or seem to realize that since about 2008 we've been able to pull all the data from your iPhone including passwords, email, text messages, web browsing history, and more. Doesn't matter if your passcode is set or not.
Rating: 10 Positives
7 months ago
Well this info is enough for me to not buy the 5S. If someone were to get ahold of my grocery list from the Notes App and find out that I am going to have Lasagna on Thursday my life will be flipped upside down.
Rating: 9 Positives

[ Read All Comments ]