Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

Over the weekend, the Chaos Computer Club announced that it had bypassed Apple’s Touch ID sensor using a photograph of a fingerprint to create a fake fingerprint model.

The full fingerprint emulation process has now been detailed in a new video from CCC member Starbug and replicated by security expert Marc Rogers, who believes the average consumer has nothing to worry about.


As seen in the video, the CCC uses a fingerprint taken from the screen of the iPhone 5s and then uses a complicated multi-step process to convert it to a usable print. According to Starbug, who spoke to Ars Technica, the process "was way easier than expected," taking just 30 hours to complete.

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

The Touch ID is nevertheless a very reliable fingerprint system. However, users should only consider it an increase in convenience and not security.

While Starbug suggests that the hack is "very easy" and can be completed with "inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs," Marc Rogers, who also completed the bypass, disagrees, noting that it requires "over a thousand dollars worth of equipment."touchid

But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.

Rogers goes on to explain the process, which requires an unsmudged, complete print of the correct finger and a way to “lift” the print using cyanoacrylate (super glue) fumes, fingerprint powder, and fingerprint tape. The lifted fingerprint must then be photographed, edited, and printed onto transparency film, where it is converted to a usable fingerprint via a PCB board or a laser printer.

Even when all of these steps are created, using the fake fingerprint was "tricky" and prone to failure.

So what do we learn from all this?

Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it.

However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.

With Touch ID able to be bypassed through a fake fingerprint, it remains unclear how the system functions. According to Apple, the sensor uses advanced capacitive touch and takes a high-resolution image from the “sub-epidermal layers” of skin, a process that, theoretically, should render a fake fingerprint useless. Starbug speculates that this is due to Apple's desire for usability over security, noting that the sensor will be defeated if the fake fingerprint is "sufficiently close" to the characteristics of human tissue.

Since its release, Touch ID has been the subject of much scrutiny. Senator Al Franken has sent a letter to Tim Cook asking a number of questions about the security of the system and the exact fingerprint storage process, and Apple has published an extensive knowledge base article about the benefits of the Touch ID system to alleviate some consumer concerns.

Top Rated Comments

portishead Avatar
104 months ago
I'm just not that important for someone to go through all that trouble to fake my fingerprint. I'll continue to use Touch ID. It works fine for what I use it for.
Score: 43 Votes (Like | Disagree)
Dwalls90 Avatar
104 months ago
If we could just add a short password and use TouchID then I think everything would be more secure.

No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...
Score: 25 Votes (Like | Disagree)
portishead Avatar
104 months ago
It's just not save enough.

It frign save i promis
Score: 22 Votes (Like | Disagree)
pk7 Avatar
104 months ago
Before people say:

"I can't believe it! Anyone can hack my iPhone with thousands of dollars worth of stuff like an image scanner, a laser printer, and a kit for etching PCBs, all in only 30 hours!?

Touch ID is a failure!!! :mad:"
Score: 22 Votes (Like | Disagree)
Benjamins Avatar
104 months ago
use your nipples instead.
Score: 20 Votes (Like | Disagree)
peejack Avatar
104 months ago
They didn't 'bypass' anything.

Grow up mac rumours.
Score: 20 Votes (Like | Disagree)

Top Stories

m1x mac mini screen feature

High-End 'M1X' Mac Mini With New Design and Additional Ports Expected to Launch in the 'Next Several Months'

Sunday August 22, 2021 5:59 am PDT by
Apple can be expected to launch an updated high-end Mac mini with a new design and a faster "M1X" Apple silicon processor in the "next several months," Bloomberg's Mark Gurman reports. In the latest publication of his Power On newsletter, Gurman writes that a new high-end Mac mini, which has previously been reported to feature a new design with additional ports, can be expected to replace...
mac scanner permission error

Apple Says Fix Planned for 'You Do Not Have Permission to Open the Application' Error When Using a Scanner on Mac

Saturday August 14, 2021 6:15 am PDT by
In a newly published support document on its website, Apple has acknowledged an error that some users may receive when they try to use a scanner with a Mac in the Image Capture app, Preview app, or the Printers & Scanners section of System Preferences. A screenshot of the error message from the HP Support Community When attempting to use a scanner with a Mac, Apple said users might get an...
macbookpro13large

macOS Big Sur Update Bricking Some Older MacBook Pro Models

Sunday November 15, 2020 5:33 am PST by
A large number of late 2013 and mid 2014 13-inch MacBook Pro owners are reporting that the macOS Big Sur update is bricking their machines. A MacRumors forum thread contains a significant number of users reporting the issue, and similar problems are being reported across Reddit and the Apple Support Communities, suggesting the problem is widespread. Users are reporting that during the...
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
m1 imac orange

New iMac Tidbits: Headphone Jack on Side, Ethernet Port on Power Adapter, Spatial Audio and WiFi 6 Support, No SD Card Slot

Wednesday April 21, 2021 6:38 am PDT by
Apple yesterday announced a completely redesigned 24-inch iMac with the M1 Apple silicon chip. The new iMac, the first major redesign of the Mac desktop computer since 2012, has several changes compared to the previous generation. In the aftermath of the event, a few new features and tidbits may have slipped under the radar, so we’ve compiled this list of some of the less-talked-about...
omg lightning cable comparison

Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords

Thursday September 2, 2021 6:59 am PDT by
A normal-looking Lightning cable that can used to steal data like passwords and send it to a hacker has been developed, Vice reports. The "OMG Cable" compared to Apple's Lightning to USB cable. The "OMG Cable" works exactly like a normal Lightning to USB cable and can log keystrokes from connected Mac keyboards, iPads, and iPhones, and then send this data to a bad actor who could be over a...
Top Stories 75 Thumbnail

Top Stories: Last-Minute iPhone 13 Rumors, Apple Announces App Store Changes, and More

Saturday September 4, 2021 6:00 am PDT by
The finish line is in sight! Apple's annual iPhone event is likely just a week or so away and all eyes will be on the company as it unveils the next version of its most popular product line. With any luck, we'll also see the next-generation Apple Watch and perhaps even some new AirPods. Other news this week saw Apple making some more changes to its App Store policies in response to a...
General YouTube Feature 1

YouTube Premium and Music Surpass 50 Million Subscribers

Friday September 3, 2021 2:19 am PDT by
YouTube says it has passed 50 million subscribers for its Premium and Music subscriptions, making it the "fastest growing music subscription" service in the world, according to YouTube's global head of music, Lyor Cohen. YouTube says that it has more than 50 million paying subscribers collectively across YouTube Premium and YouTube Music. The Google-owned service says it attributes this...
iPhone 13 Dummy Thumbnail 2

Full iPhone 13 Feature Breakdown: Everything Rumors Say We Can Expect

Tuesday August 31, 2021 7:50 am PDT by
With the launch of Apple's iPhone 13 lineup believed to be just a few weeks away, we have compiled all of the coherent rumors from our coverage over the past year to build a full picture of the features and upgrades coming to the company's new smartphones. For clarity, only explicit improvements, upgrades, and new features compared to the iPhone 12 lineup are listed. It is worth noting that...
apple wallet drivers license

Apple Announces First U.S. States That Will Let You Add Your Driver's License to Your iPhone

Wednesday September 1, 2021 6:15 am PDT by
Apple today announced the first U.S. states that will be rolling out the ability for residents to add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch. Arizona and Georgia will be the first states to support the feature, with Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah to follow, according to Apple. Apple said select TSA security checkpoints in ...