When Touch ID was announced at the iPhone 5s launch, it was immediately besieged by detractors.
One area in particular for detractors is that the Touch ID system is susceptible is via spoofing an owner’s fingerprint. If true, this would pretty much leave the whole system open to an attacker, and now, with the iPhone 6 and Apple Pay, spoofing would easily expose the owner to fraudulent charges placed on the his credit cards.
The most convincing exposition on this was by the German Chaos Club group which quickly posted online video of how to spoof the Touch ID sensor system.
With the advent of Apple Pay based on Touch ID, this issue becomes even more critical.
Two facts are clear:
- it works,
- it is not all that difficult.
However, there is one clarification to point #2. It ought to read:
- It is not that difficult if you have a good fingerprint.
This is the fly in the spoofing ointment. Let’s look at the point in the video where they get the fingerprint in the still shot above. Let’s zoom in.
Look at those beautiful fingerprints! Wow. Easy to get a good mold for your spoof off of that!
The question is:
-
Where you gonna find prints like that in the wild?
Here is another photo of an iPhone screen – mine. I am sure it is a lot more typical.
Now let me see you get a print off of that!
This is not doctored, nor did I go out of my way to mess it up. It is just as I picked it up to take the photo. This is what you will see on the average cell phone. There is not a single space visible that is even recognizable as a fingerprint, let alone pretty enough to scan.
Clearly the How To video was made with fingerprints placed specifically to be read.
Look at those prints along the side. They look like they were taken at a police station.
Let’s look again at another common youtube video on the topic.
Notice how, once again, the anchor is deliberately pressing his thumb down onto a clean glass.
So, clearly – while the process of creating a spoof is not that difficult – but getting a good fingerprint is a lot more difficult. In fact, getting one with sufficient detail to make a good spoof is likely to be very hard. Certainly not so easy as it looks in the demonstrations.
There are of course other issues as well. Not only do you need a good fingerprint, but it has to be the right finger.
The question then becomes not whether a potential identity thief can theoretically spoof your fingerprint or not, but rather is it prohibitively difficult for him to get a useful print?
I believe that it would be extremely difficult for a casual thief to get a useful print. They certainly will not get one off your iPhone unless you go to great effort to leave a good one. Off a glass in a bar? Again, my guess is it would not be easy. Via some kind of social engineering? Perhaps.
But remember, the thief has only 48 hours to get a good print before the iPhone requires your passcode to open the phone. Also, he better get it right quickly as he has only five failures before it requires the passcode. Additionally, he may have even less time to use it as the owner can shut down the system via the Lost function on Find My iPhone.
Bottom line: If you have exceptionally valuable information on your iPhone that would be worth enormous sums of money, enough to warrant the investment of time and energy to get a good copy of your fingerprint, then you might want to forego the Touch ID.
In summary some advice:
- If your iPhone has keys to important state secrets, better not use Touch ID.
- If you hang out with junkies who might steal your prints when you are crashed out, skip it.
- If you are taking selfies of you and your spouses sister having sex, and your partner is suspicious, skip it.
Otherwise – go ahead and use Touch ID and Apple Pay, but:
- Create a secure, advanced password.
- Set up Find My iPhone – it is free –
- Use “Lost Mode” immediately if your phone is lost or stolen.
- Don’t give your fingerprints to strangers.
NOTE: The spoof was repeated on the iPhone 6 by security software firm Lookout – my response is below…
————————–
Comments?
Dear friend – if you appreciate my commentary please view my products linked below.
Elegant, Handcrafted, Genuine Leather
SmartPhone Holster
Soon for iPhone 6 Plus!
Thank you!
————————————————————————————————————–
Free Short Story!
YA EN ESPAÑOL: LA HABITACION
MOST MAGYARUL: A SZOBA
Histoire Libre: La Chambre d’Hôtel
————————————————————————————————————–
Reply to Lookout blog post
Lookout posted a very interesting blog post.
They redid the spoof (what they call a hack) As I said above, I have no doubt that a spoof can be made, as they have confirmed. Yet in the end, I think we are in agreement. They write:
Just like its predecessor — the iPhone 5s — the iPhone 6’s TouchID sensor can be hacked. However, the sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. [emphasis added]
They continue:
Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.
This is precisely my point!
In the end, they conclude:
I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.
jmmxtech 
I’m surprised you didn’t mention that the alternative to Touch ID – a hand-entered PIN – is much easier to “hack” in the real world, since simply watching a person entering their pin can easily be sufficient to gather the PIN. This is much easier than spoofing somebody’s fingerprint
Glenn –
Good point.
Thanks for the comment.
Very late to the party here sorry.
I broadly agree that the threat of an attack via or for your phone is very unlikely, I fundamentally do not like bio auth however simply because you cannot change it if compromised.
If we could use our imaginations a little and roll forward to a future where this technology is being used to frequently authorise payments (ala apply pay) and other secure information then it stands to reason it will attract criminal interest.
I can’t see them meticulously dusting for prints etc but I can see the emergence of devices specifically designed to lift prints when touched, not dissimilar to tactics like card skimmers etc. The person who can invent this will likely become very rich so these would quickly become be purchasable devices for criminals
All in all, as soon as there’s serious cash involved, you’ll will likely end up with an underground black trade market much like the credit card one now where a single card can cost just a few cents. The important difference that you can cancel a card, you can never change your biometric makeup. It’s madness to devise a security model around it.
Ash –
First, thank you for following my blog. I am flattered.
You make some good points. Clearly if someone comes up with a very good fingerprint scanner then that could change things. Still, I think that 2 problems remain
– 1 – there must be a good fingerprint to begin with, and
– 2 – it must be easily associated with the “hit”
All this takes a degree of effort that may not be worth it except for specific targets. All one gets for the effort is the use of the target’s iPhone, and even then, the stolen device can be quickly and easily traced and or disabled.
So, for now, this is a reasonable model. If the fingerprint scanner should come into use, then perhaps we will need to go onto another model.
Best regards – JMM
I don’t disagree with you that basing security solely around bio-metrics is a bad idea because one cannot change their bio-metrics, and if someone figures out how to spoof that, they can reliably impersonate you.
However, most of us have 10 fingerprints. You CAN change which one you wish to use.
Furthermore, perhaps a significantly more sophisticated solution using this technology would be to require more than just a single fingerprint swipe. How about 2 or 3 fingers in sequence? Then the spoofer needs to spoof more than one fingerprint – the correct ones, plus know your sequence.
Just the other day I heard on the radio about the idea of “paying with a selfie” – an authentication method using your phone’s camera that recognizes your facial bio-metrics. It requires a “blink” so that the system recognizes you as a living person, as opposed to a photograph. Essentially what it is doing is recognizing your facial bio-metrics in a sequence: eyes-open, eyes closed, eyes-open – literally within the time span of a blink of an eye.
We might even look at combining these technologies together.