Apple has done little to improve security in the Touch ID technology used in its current iPhone 6 handset, claims security researcher Marc Rogers of Lookout Security (via CNET). As shown by Rogers, the latest iPhone models are vulnerable to hacking using the same fake fingerprint technique first demonstrated with the iPhone 5s.
The technique requires a hacker to lift a suitable fingerprint from a solid surface and create a copy using forensic techniques that require specialized equipment. If done properly, these replica fingerprints can activate the Touch ID sensors on both the iPhone 6 and the iPhone 5s.
Sadly there has been little in the way of measurable improvement in the sensor between these two devices. Fake fingerprints created using my previous technique were able to readily fool both devices.
Rogers adds that the only changes in Touch ID appear to be in the sensitivity of the iPhone 6 fingerprint sensor, with the iPhone 6 possibly supporting a higher resolution scan. This improved scanner makes it harder for a fingerprint to be cloned by an unskilled criminal, but it does not add any additional security precautions, such as a time-based passcode requirement, to the Touch ID authentication system.
Touch ID may offer adequate security for unlocking phones, but Rogers questions its effectiveness as a deterrent to the much more lucrative credit card and mobile payment theft. With Apple opening up its iPhone 6 to mobile payments with Apple Pay, the potential for this form of theft becomes more likely as criminals begin targeting iPhone users in order to exploit these mobile transactions. Still, the complexity of creating a fake fingerprint means users are much more likely to be affected by a stolen plastic credit card than a spoofed Touch ID fingerprint linked to Apple Pay.
[T]he sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.
Apple Pay is Apple's new mobile payment initiative that will debut with an iOS software update next month. The system uses NFC to process payments wirelessly with a one-time token and Touch ID authorization for security. Apple is partnering with credit card companies and US retailers including Walgreens, Macy's, and Nike to roll out the service.