Touch ID Bypass Detailed, 'Average Consumer' Shouldn't Worry

Over the weekend, the Chaos Computer Club announced that it had bypassed Apple’s Touch ID sensor using a photograph of a fingerprint to create a fake fingerprint model.

The full fingerprint emulation process has now been detailed in a new video from CCC member Starbug and replicated by security expert Marc Rogers, who believes the average consumer has nothing to worry about.


As seen in the video, the CCC uses a fingerprint taken from the screen of the iPhone 5s and then uses a complicated multi-step process to convert it to a usable print. According to Starbug, who spoke to Ars Technica, the process "was way easier than expected," taking just 30 hours to complete.

I was very disappointed, as I hoped to hack on it for a week or two. There was no challenge at all; the attack was very straightforward and trivial.

The Touch ID is nevertheless a very reliable fingerprint system. However, users should only consider it an increase in convenience and not security.

While Starbug suggests that the hack is "very easy" and can be completed with "inexpensive office equipment like an image scanner, a laser printer, and a kit for etching PCBs," Marc Rogers, who also completed the bypass, disagrees, noting that it requires "over a thousand dollars worth of equipment."touchid

But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial.

Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician.

Rogers goes on to explain the process, which requires an unsmudged, complete print of the correct finger and a way to “lift” the print using cyanoacrylate (super glue) fumes, fingerprint powder, and fingerprint tape. The lifted fingerprint must then be photographed, edited, and printed onto transparency film, where it is converted to a usable fingerprint via a PCB board or a laser printer.

Even when all of these steps are created, using the fake fingerprint was "tricky" and prone to failure.

So what do we learn from all this?

Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it.

However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face.

With Touch ID able to be bypassed through a fake fingerprint, it remains unclear how the system functions. According to Apple, the sensor uses advanced capacitive touch and takes a high-resolution image from the “sub-epidermal layers” of skin, a process that, theoretically, should render a fake fingerprint useless. Starbug speculates that this is due to Apple's desire for usability over security, noting that the sensor will be defeated if the fake fingerprint is "sufficiently close" to the characteristics of human tissue.

Since its release, Touch ID has been the subject of much scrutiny. Senator Al Franken has sent a letter to Tim Cook asking a number of questions about the security of the system and the exact fingerprint storage process, and Apple has published an extensive knowledge base article about the benefits of the Touch ID system to alleviate some consumer concerns.

Related Forum: iPhone

Top Rated Comments

portishead Avatar
137 months ago
I'm just not that important for someone to go through all that trouble to fake my fingerprint. I'll continue to use Touch ID. It works fine for what I use it for.
Score: 43 Votes (Like | Disagree)
Dwalls90 Avatar
137 months ago
If we could just add a short password and use TouchID then I think everything would be more secure.

No thanks.

Why would I want to use TouchID AND a passcode?

TouchID is supposed to remove the need for the passcode ...
Score: 25 Votes (Like | Disagree)
portishead Avatar
137 months ago
It's just not save enough.

It frign save i promis
Score: 22 Votes (Like | Disagree)
pk7 Avatar
137 months ago
Before people say:

"I can't believe it! Anyone can hack my iPhone with thousands of dollars worth of stuff like an image scanner, a laser printer, and a kit for etching PCBs, all in only 30 hours!?

Touch ID is a failure!!! :mad:"
Score: 22 Votes (Like | Disagree)
Benjamins Avatar
137 months ago
use your nipples instead.
Score: 20 Votes (Like | Disagree)
peejack Avatar
137 months ago
They didn't 'bypass' anything.

Grow up mac rumours.
Score: 20 Votes (Like | Disagree)

Popular Stories

reset password request iphone

Warning: Apple Users Targeted in Phishing Attack Involving Rapid Password Reset Requests

Tuesday March 26, 2024 4:34 pm PDT by
Phishing attacks taking advantage of Apple's password reset feature have become increasingly common, according to a report from KrebsOnSecurity. Multiple Apple users have been targeted in an attack that bombards them with an endless stream of notifications or multi-factor authentication (MFA) messages in an attempt to cause panic so they'll respond favorably to social engineering. An...
Generic iOS 18 Feature Purple

iOS 18: What to Expect From 'Biggest' Update in iPhone's History

Wednesday March 27, 2024 11:10 am PDT by
At least some Apple software engineers continue to believe that iOS 18 will be the "biggest" update in the iPhone's history, according to Bloomberg's Mark Gurman. Below, we recap rumored features and changes for the iPhone. "The iOS 18 update is expected to be the most ambitious overhaul of the iPhone's software in its history, according to people working on the upgrade," wrote Gurman, in a r...
maxresdefault

Apple Announces WWDC 2024 Event for June 10 to 14

Tuesday March 26, 2024 10:02 am PDT by
Apple today announced that its 35th annual Worldwide Developers Conference is set to take place from Monday, June 10 to Friday, June 14. As with WWDC events since 2020, WWDC 2024 will be an online event that is open to all developers at no cost. Subscribe to the MacRumors YouTube channel for more videos. WWDC 2024 will include online sessions and labs so that developers can learn about new...
apple maps 3d feature

Apple Maps May Gain Custom Routes With iOS 18

Tuesday March 26, 2024 3:10 pm PDT by
Apple may be planning to add support for "custom routes" in Apple Maps in iOS 18, according to code reviewed by MacRumors. Apple Maps does not currently offer a way to input self-selected routes, with Maps users limited to Apple's pre-selected options, but that may change in iOS 18. Apple has pushed an iOS 18 file to its maps backend labeled "CustomRouteCreation." While not much is revealed...
General iOS 17 Feature Orange Purple

Apple Releases Revised Versions of iOS 17.4.1 and iPadOS 17.4.1 With Updated Build Number

Wednesday March 27, 2024 5:59 am PDT by
Apple on late Tuesday released revised versions of iOS 17.4.1 and iPadOS 17.4.1 with an updated build number of 21E237, according to MacRumors contributor Aaron Perris. The updates previously had a build number of 21E236. The revised updates are available for all iPhone and iPad models that are compatible with iOS 17 and iPadOS 17, but they can only be installed via the Finder app on macOS...
maxresdefault

Apple to Launch New iPad Pro and iPad Air Models in May

Thursday March 28, 2024 11:07 am PDT by
Apple will introduce new iPad Pro and iPad Air models in early May, according to Bloomberg's Mark Gurman. Gurman previously suggested the new iPads would come out in March, and then April, but the timeline has been pushed back once again. Subscribe to the MacRumors YouTube channel for more videos. Apple is working on updates to both the iPad Pro and iPad Air models. The iPad Pro models will...
applephilschiller

Apple's Phil Schiller Works 80 Hours a Week Overseeing App Store

Wednesday March 27, 2024 2:03 pm PDT by
With the App Store and app ecosystem undergoing major changes in the European Union, The Wall Street Journal today shared a profile on App Store chief Phil Schiller, who is responsible for the App Store. Though Schiller transitioned from marketing chief to "Apple Fellow" in 2020 to take a step back from Apple and spend more time on personal projects and friends, he is reportedly working...