Two weeks ago Apple introduced its latest and greatest, the iPhone 5s. One of the phone’s much-touted and futuristic-sounding features is a fingerprint scanner, a biometric sensor that, theoretically, means that only you can unlock your phone. “It’s nothing like the balky, infuriating fingerprint-reader efforts of earlier cellphones. It’s genuinely awesome,” said the New York Times‘ David Pogue. Which is all well and good, except a group of hackers known as the Chaos Computer Club say they’ve already cracked it.
The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple’s TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID.
- Take a high resolution photograph of your fingerprint, say, from your fingerprint smudged iPhone 5s
- Print out the photo of your fingerprint using thick ink, like from a laser printer
- Cover the photo with glue
- Once the glue is dry, lift it up to reveal the fingerprint indents
While the hackers claim the method is easy, it’s complicated enough that most iPhone 5S users aren’t as likely to have their security compromised by an everyday thief who would have to be willing to obtain a high-resolution photograph of a fingerprint and produce a physical fake….But the method’s relative simplicity, which involves photographing a fingerprint left behind on a surface and then creating a glue model of it, calls the sophistication of Touch ID’s technology into question.
But the idea of fingerprint-as-password, says CNet, has bigger problems.
“We hope that this finally puts to rest the illusions people have about fingerprint biometrics,” Chaos Computer Club spokesperson Frank Rieger said in a statement. “It is plain stupid to use something that you can’t change and that you leave everywhere every day as a security token.”
That blunt assessment echoes the critique of iPhone 5S security put forth by US Sen. Al Franken. “If someone hacks your password, you can change it — as many times as you want. You can’t change your fingerprints. … And you leave them on everything you touch; they are definitely not a secret,” the Minnesota Democrat wrote, in part, in a letter to Apple CEO Tim Cook dated Thursday. “Let me put it this way: if hackers get a hold of your thumbprint, they could use it to identify and impersonate you for the rest of your life.”
More from Smithsonian.com: