iPhone 6 Touch ID Still Vulnerable to Specialized Fake Fingerprint Hack

Apple has done little to improve security in the Touch ID technology used in its current iPhone 6 handset, claims security researcher Marc Rogers of Lookout Security (via CNET). As shown by Rogers, the latest iPhone models are vulnerable to hacking using the same fake fingerprint technique first demonstrated with the iPhone 5s.

photo-3-touchid
The technique requires a hacker to lift a suitable fingerprint from a solid surface and create a copy using forensic techniques that require specialized equipment. If done properly, these replica fingerprints can activate the Touch ID sensors on both the iPhone 6 and the iPhone 5s.
Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices.
Rogers adds that the only changes in Touch ID appear to be in the sensitivity of the iPhone 6 fingerprint sensor, with the iPhone 6 possibly supporting a higher resolution scan. This improved scanner makes it harder for a fingerprint to be cloned by an unskilled criminal, but it does not add any additional security precautions, such as a time-based passcode requirement, to the Touch ID authentication system.

Touch ID may offer adequate security for unlocking phones, but Rogers questions its effectiveness as a deterrent to the much more lucrative credit card and mobile payment theft. With Apple opening up its iPhone 6 to mobile payments with Apple Pay, the potential for this form of theft becomes more likely as criminals begin targeting iPhone users in order to exploit these mobile transactions. Still, the complexity of creating a fake fingerprint means users are much more likely to be affected by a stolen plastic credit card than a spoofed Touch ID fingerprint linked to Apple Pay.
[T]he sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.
Apple Pay is Apple's new mobile payment initiative that will debut with an iOS software update next month. The system uses NFC to process payments wirelessly with a one-time token and Touch ID authorization for security. Apple is partnering with credit card companies and US retailers including Walgreens, Macy's, and Nike to roll out the service.



Top Rated Comments

(View all)
Avatar
61 months ago
And the number of times this "hack" has actually been used successfully in the wild is...?
Rating: 55 Votes
Avatar
61 months ago
This is not news. Why even report this? Average person sees "Touch ID vunerable" and doesn't use it. Meanwhile, the contents of the article, just as last year, CLEARLY indicate how extremely difficult and unlikely this is to ever occur to anyone, or that it's even worth the effort, or possible to do quickly enough before the phone is remotely wiped (the function of which I'd hope anyone who has sensitive information on their phone is aware of)
Rating: 48 Votes
Avatar
61 months ago
They've also not improved the security of passwords I write down and leave all around where I've been. Anyone can still pick this up and access my phone. Disappointed. :rolleyes:
Rating: 32 Votes
Avatar
61 months ago

And the number of times this "hack" has actually been used successfully in the wild is...?


The next Mission Impossible movie.
Rating: 20 Votes
Avatar
61 months ago
Will our porn ever be safe?
Rating: 16 Votes
Avatar
61 months ago
Thats why Governments love to have your fingerprints. They can easily make a dummy finger now. So when they arrest you with your new shiny iPhone they just phone the lab to make one up. The lab kit makes it in 10, it arrives with the officer in 30 minutes. No need to know your password. And no one will know they've been in your iPhone

/s
/jk
enable panic mode
Rating: 16 Votes
Avatar
61 months ago
Not this crap again...
Rating: 15 Votes
Avatar
61 months ago
The guy contradicts himself in his own report. First he says there's been little improvement made to the sensor, and then he says that the sensor's resolution has likely been improved making it less likely that a poorly cloned fingerprint will work. Ummm, wouldn't that qualify as an improvement to the sensor? Duh.
Rating: 14 Votes
Avatar
61 months ago
In other words, few people if any might ever be affected by this. You have a better chance of being struck by lightning while being eaten by a shark than have this happen.
Rating: 10 Votes
Avatar
61 months ago
Newflash, no current security measure isn't vulnerable to a sophisticated, targeted attack by a skilled/knowledgeable individual or group.

My credit card info was just stolen last night.....I can tell you right now I am so ready for Apple Pay and will be actively trying to avoid places that don't accept it. At least until the chip/pin is viable here in the US. The few places where it works are apparently unbearably slow and inefficient.

Luckily for me, giving up shopping at Wal-Mart won't be too difficult....lol
Rating: 9 Votes
[ Read All Comments ]