Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.



Pick an apple! 


Related Articles



Touch ID Already Defeated

The Chaos Computer Club has reportedly figured out how to defeat Touch ID, the fingerprint scanner in the iPhone 5s, with a fake finger. The method involves taking a 2400 dpi picture of an approved fingerprint, laser printing the image with a thick toner setting, and smearing latex on top to create a mold. Starbug, the hacker who performed the tests, said that the main difference between Apple’s sensor and others is that Apple’s has a higher resolution.favicon follow link


Comments about Touch ID Already Defeated
(Comments are closed.)

Joe Swann  2013-09-23 09:27
This is not to say that we should throw prudence out the window -- I certainly lock my house, my truck, my computer, my phone, etc. -- but locks only keep honest people out.
artMonster  2013-09-23 10:54
Imagine if "hackers" were constantly testing your security by showing how to break into your house, your car, etc. like they do with computers, phones, printers, microwave ovens, pacemakers, etcetera. I am sure I missed some.
Adam Engst  An apple icon for a TidBITS Staffer 2013-09-23 11:46
A fair point, and one that I'm sympathetic to, but I think the difference is that we're being told by the companies building this technology that it's secure, so the demonstrations aim to show the validity (or lack thereof) of those claims. In the more egregious examples, it's a little like a door company claiming that their screen door will deter thieves because it has a simple lock, when it's obvious that anyone could slash the screen with any piece of metal.
artMonster  2013-09-23 13:31
I was thinking more along the lines of public sharing of how to break into specific homes, cars, etcetera. Imagine the paranoia.
Adam Engst  An apple icon for a TidBITS Staffer 2013-09-23 14:39
Yes, it's an easily crossed line, depending on how specific and personal it gets, but this is at a product level. So it's like showing how to open a Kryptonite bike lock with a Bic pen, to give a real example. People who own, or are considering Kryptonite locks, would want to know about that. (This exploit is old, so I assume it no longer works on modern bike locks.)
Anonymous  2013-09-23 11:39
C'Mon, give me a break. They haven't 'defeated' the TouchID. Their 'hack' only works if they already have a copy of your fingerprint. That's like saying they can defeat password protection if they know your password.
Just plain silly.
Adam Engst  An apple icon for a TidBITS Staffer 2013-09-23 11:42
No, it's not a serious vulnerability, but the point is that the Touch ID scanner can be fooled with a fake finger. Now that it's clear that a fake is sufficient, you can bet that people will start investigating other methods of creating the fake.
artMonster  2013-09-23 13:36
This demonstration is not nearly definitive enough to even prove that they did, in fact, defeat TouchID. But for sure, many are trying to do just that, and nothing is truly impenetrable... I commend Apple for trying to maintain the balance between security and usability.
Josh Centers  2013-09-23 14:40
I was careful not to call it a "hack," since it's not. But since Touch ID can be fooled by a fake finger, something which should not happen, it has, in fact been defeated.

However, it's not a vulnerability that I'm terribly worried about, since it takes prolonged access to a phone and a significant level of skill.
Josh Centers  2013-09-23 14:40
artMonster  2013-09-23 14:59
Ok then. Backup plan. Wonder if a nose print would work? Hard to find anywhere to lift those from. ;)
Josh Centers  2013-09-23 15:01
My understanding is that nose prints, cat paw prints, nipple prints, and even…other parts will work.
artMonster  2013-09-23 15:03
I was going to mention "other parts" but thought better of it. Hope that doesn't catch on.
Adam Engst  An apple icon for a TidBITS Staffer 2013-09-23 15:32
Department store windows! :-)
Jean-Michel Paris  2013-09-23 20:40
Most people don't even use a simple password on their phone. Touch ID solves this problem quite elegantly and almost transparently.

If your iPhone contains sensitive material, you may simply use the traditional password that is available as an additional measure, after you passed the Touch ID test.
Curtis Wilcox  An apple icon for a Friend of TidBITS 2013-09-24 15:49
My understanding is you can't require both Touch ID and a passcode to unlock your iPhone 5s. Some apps let you set a separate passcode which could help protect information stored in those apps.