Bypassing Fingerprint Biometrics Nothing New

Jason Soroko

So, Germany’s Chaos Computer Club — which weirdly sounds like an outcast AV group at someone’s high school — claims to have circumvented Apple’s new Touch ID fingerprint biometric sensor featured on the just-released iPhone 5s. This isn’t news.

Sure, it’s new in relation to attacking the consumer-loved iPhone image. But the “hack” shown is more than 10 years old. Simply, you need to collect the actual index fingerprint, a high-resolution printer (1200 DPI, per the CCC, which can be had for as low as $100 on Amazon), latex, some wood glue and free time. These same techniques were researched, published and reviewed as far back as 2003.

This bypass is no different than PINs, which can be recorded while you type or even guessed based on smudges. It’s even possible to obtain sensitive information from Siri or exploit the device via other lock-screen bypasses.

In the end, physical retention of the phone is always important whether you are using a PIN, biometric or any other security element. In essence, users should treat their mobile devices like their wallets.

What is most important is whether you are susceptible to fraud via your banking app or other secure apps on your mobile device. As of right now, mobile devices are still more secure than desktops. That fact doesn’t change with PIN or biometric hacks.

Regardless of this low-level hack, consumers’ biometric data for Apple Touch ID remains absolutely secure. It’s still encrypted on a secure element on the mobile device’s chip, which Apple is calling the Secure Enclave.

In fact, a statistical model of the fingerprint is hashed and encrypted. When access or authorization requests are made, a new statistical model is taken and compared to the original models. The original data is not an actual picture of the fingerprint and is never transferred, shared or otherwise communicated with Apple, iCloud or the cellular provider.

The important thing to remember is what Apple is attempting to do with security: build it into the core of the iDevice experience and raise security, essentially, from zero.

Many users don’t leverage the passcode lock/unlock, and if Apple can make this process as easy as the touch of a button, that creates a considerably more secure platform as a whole.

There is also discussion around lifting fingerprints. Let’s be very clear: if someone wants into a device badly enough, they will gain access. And what you can perform in a lab-controlled environment is much different than in the real world. This is intended to help thwart nosy people, snatch-and-dash thefts and other low-level, illicit access attempts.

The media seems to have missed the point. Privacy and security are something Apple takes very seriously and aside from the fallibility of fingerprint biometrics in general, Apple has done a very solid job introducing the first-generation Touch ID.

For anyone that holds privacy and security in high regard, you should treat your mobile devices like you do your wallet. They hold as much, if not more, sensitive data. Familiarize yourself with the improved security measures put in place by Apple in iOS7 and the latest round of iPhones.

Jason Soroko
Jason Soroko
Manager, Security Technologies

Soroko has spent 17 years in systems architecture and development roles in diverse industries with an emphasis on security. As the threat landscape becomes more advanced, the need for Entrust to understand evolving threats requires deep and dedicated thinking in security concepts. Soroko's thought-leadership in security is rooted in connecting the threat perspective to how systems work as a whole. He frequents security conferences and publishes on important security topics.

0 Comments

Add to the Conversation