Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate

  /     /     /  
Publicated : 22/11/2024   Category : security

Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate


Hackers say the attack demonstrates a fatal flaw of fingerprint biometrics: Its too easy to defeat


That didnt take long.
The biometrics hacking team of the Chaos Computer Club (CCC)
has defeated
Apples Touch ID feature, a fingerprint reader unveiled last week as part of Apples announcement of the iPhone 5s. The move by Apple led
some security experts
to express hope that its adoption could lead to increased interest in biometric technologies among consumers. But CCC researchers say its proof that fingerprint readers should be viewed skeptically.
We hope that this finally puts to rest the illusions people have about fingerprint biometrics, says Frank Rieger, spokesman for the CCC. It is plain stupid to use something that you cant change and that you leave everywhere every day as a security token.
News of the hack came roughly 24 hours after the phone became publicly available Sept. 20. Essentially, CCC researchers demonstrated that an attacker with physical access to the phone could take a picture or scan the fingerprints of the devices owner and use that to create a mold of the fingerprint to launch an attack.
First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi, the researchers note. Then the image is converted to black and white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi.
To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material, CCC hackers explain. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use.
The researchers also outlined another version of the attack, but said it was less reliable.
Apple did not respond to a request for comment.
Though the CCC criticized the use of fingerprint scanners for authentication and derided them as a technology designed for oppression and control, Paul Zimski, Lumenion Securitys vice president of solution marketing, says that the hack will probably not deter end users from leveraging the technology on their devices.
Sure, its not highly secure, but the average end user will most likely still use and rely on the scanner, Zimski says. Trumping usability for security is somewhat of a universal constant in the consumerized world. If anything, this is also a good case for employing two-factor authentication.
Theres an illusion of fingerprints as some science-fiction thing that is always highly accurate, says Michael Pearce, security consultant for Neohapsis. Unfortunately, he adds, that is not the case.
They are problematic when used on their own to authenticate, he says. Further, because fingerprint measurements are never exactly the same, the manufacturer needs to balance an error rate for both letting people in falsely and locking them out wrongly. When most of your fingerprint measurements are going to be legitimate users every time they pick up their phone, youre more concerned with the 9,999 times its the right user than the one time its the wrong one, and, as a result, you will lean on the permissive side if you want your product usable.
Ultimately, noted cryptographer Bruce Schneier argues, Apple is trying to balance security with convenience.
This is a cell phone, not an ICBM launcher or even a bank account withdrawal device,
he blogs
. Apple is offering an option to replace a four-digit PIN -- something that a lot of iPhone users dont even bother with -- with a fingerprint. Despite its drawbacks, I think its a good trade-off for a lot of people.
Still, blogs Errata Securitys Robert Graham, the notion that the hack is too much trouble is profoundly wrong.
Just because its too much trouble for you doesnt mean its too much trouble for a private investigator hired by your former husband,
he blogs
. Or the neighbors kid. Or an FBI agent. As a kid, I attended science fiction conventions in costume, and had latex around the house to get those Vulcan ears to look just right. As a kid, I etched circuit boards. This sort of stuff is easy, easy, easy -- you just need to try.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact Dark Readings editors directly,
send us a message
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Apple Touch ID Fingerprint Reader Hack Heightens Biometrics Debate