When Touch ID was announced at the iPhone 5s launch, it was immediately besieged by detractors.
One area in particular for detractors is that the Touch ID system is susceptible is via spoofing an owner’s fingerprint. If true, this would pretty much leave the whole system open to an attacker, and now, with the iPhone 6 and Apple Pay, spoofing would easily expose the owner to fraudulent charges placed on the his credit cards.
The most convincing exposition on this was by the German Chaos Club group which quickly posted online video of how to spoof the Touch ID sensor system.
With the advent of Apple Pay based on Touch ID, this issue becomes even more critical.
Two facts are clear:
- it works,
- it is not all that difficult.
However, there is one clarification to point #2. It ought to read:
- It is not that difficult if you have a good fingerprint.
This is the fly in the spoofing ointment. Let’s look at the point in the video where they get the fingerprint in the still shot above. Let’s zoom in.
Look at those beautiful fingerprints! Wow. Easy to get a good mold for your spoof off of that!
The question is:
Where you gonna find prints like that in the wild?
Here is another photo of an iPhone screen – mine. I am sure it is a lot more typical.
Now let me see you get a print off of that!
This is not doctored, nor did I go out of my way to mess it up. It is just as I picked it up to take the photo. This is what you will see on the average cell phone. There is not a single space visible that is even recognizable as a fingerprint, let alone pretty enough to scan.
Clearly the How To video was made with fingerprints placed specifically to be read.
Look at those prints along the side. They look like they were taken at a police station.
Let’s look again at another common youtube video on the topic.
Notice how, once again, the anchor is deliberately pressing his thumb down onto a clean glass.
So, clearly – while the process of creating a spoof is not that difficult – but getting a good fingerprint is a lot more difficult. In fact, getting one with sufficient detail to make a good spoof is likely to be very hard. Certainly not so easy as it looks in the demonstrations.
There are of course other issues as well. Not only do you need a good fingerprint, but it has to be the right finger.
The question then becomes not whether a potential identity thief can theoretically spoof your fingerprint or not, but rather is it prohibitively difficult for him to get a useful print?
I believe that it would be extremely difficult for a casual thief to get a useful print. They certainly will not get one off your iPhone unless you go to great effort to leave a good one. Off a glass in a bar? Again, my guess is it would not be easy. Via some kind of social engineering? Perhaps.
But remember, the thief has only 48 hours to get a good print before the iPhone requires your passcode to open the phone. Also, he better get it right quickly as he has only five failures before it requires the passcode. Additionally, he may have even less time to use it as the owner can shut down the system via the Lost function on Find My iPhone.
Bottom line: If you have exceptionally valuable information on your iPhone that would be worth enormous sums of money, enough to warrant the investment of time and energy to get a good copy of your fingerprint, then you might want to forego the Touch ID.
In summary some advice:
- If your iPhone has keys to important state secrets, better not use Touch ID.
- If you hang out with junkies who might steal your prints when you are crashed out, skip it.
- If you are taking selfies of you and your spouses sister having sex, and your partner is suspicious, skip it.
Otherwise – go ahead and use Touch ID and Apple Pay, but:
- Create a secure, advanced password.
- Set up Find My iPhone – it is free –
- Use “Lost Mode” immediately if your phone is lost or stolen.
- Don’t give your fingerprints to strangers.
NOTE: The spoof was repeated on the iPhone 6 by security software firm Lookout – my response is below…
Dear friend – if you appreciate my commentary please view my products linked below.
Elegant, Handcrafted, Genuine Leather
Soon for iPhone 6 Plus!
Reply to Lookout blog post
Lookout posted a very interesting blog post.
They redid the spoof (what they call a hack) As I said above, I have no doubt that a spoof can be made, as they have confirmed. Yet in the end, I think we are in agreement. They write:
Just like its predecessor — the iPhone 5s — the iPhone 6’s TouchID sensor can be hacked. However, the sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. [emphasis added]
Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.
This is precisely my point!
In the end, they conclude:
I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.