German Hacking Crew Cracks iPhone Touch ID

A German hacking collective known as the Chaos Computer Club (CCC) has bypassed the biometric fingerprint sensor protection of the new iPhone, known as Touch ID, using “easy everyday means”.

The CCC claimed it had taken a photograph of a fingerprint from a glass surface and then created a “fake finger” to unlock an iPhone 5S. Last week, a crowdfunded bounty was offered to the first successful hack using such methods, which has almost hit $20,000.

Touch ID hacked

A hacker named Starbug was credited with the exploit and a short video showing the use of a fake fingerprint has been posted online.

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” Starbug said.

“As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere and it is far too easy to make fake fingers out of lifted prints.”

To carry out the hack, the CCC said it took a picture of a fingerprint at 2400dpi resolution, which was then inverted and laser printed at 1200dpi onto a transparent sheet with a thick toner setting.

“Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet,” the CCC said.

“After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.”

Frank Rieger, another member of the CCC, said it was “plain stupid” to use fingerprints for logins, a “technology designed for oppression and control” rather than security.

The CCC now expects to receive the ‘Is Touch ID Hacked Yet?’ funds. A note on the competition’s website, founded by two members of the security community, read: “The Chaos Computer Club in Germany may have done it! Awaiting video showing them lifting a print (like from a beer mug) and using it to unlock the phone. If so, they’ll win.”

Many feared Apple could hand over fingerprint data from Touch ID to the US government, although early indications are that the information remains native on the device and the stored information is cryptographically hashed.

Last week, a bypass of the iPhone’s passcode security was also proven to work.

Were you paying attention to the launch? Try our iPhone 5C and 5S quiz!