Apple is too shallow, must go deeper to beat TouchID fingerprint hack, say securo-bods
Yep, Gummi Bears can still defeat bio-reading tech
Lookout researcher Marc Rogers demonstrated that the TouchID fingerprint sensor of the latest iPhones could be made to work with a cloned fingerprint lifted from a shiny surface and recreated using glue, just like the iPhone 5S.
The use of the trick against the iPhone 5S was first shown by the Chaos Computer Club a year ago, but the basic method goes back to a Gummi Bear attack first demonstrated against fingerprint sensors 12 years ago.
"I was really surprised and disappointed there was no motion against the decade old Gummi attacks," commented distinguished security researcher Dan Kaminsky. "[But] without subsurface scanning that's gonna work forever."
Security researchers feel that Apple has missed the opportunity to make such attacks far more difficult, not least because the firm it bought to get into biometrics was working on tech to map the veins of fingers, and not just fingerprints.
"AuthenTec, the company Apple bought to make Touch ID, was working on technology that instead of just photographing the finger tried to scan structures below the surface," Rogers explained.
A patent - Finger sensor using polarized light and associated methods - obtained by AuthenTec shows the direction of its research at the time before it was bought by Apple. Incorporating more advanced sub-surface fingerprint or vein scanning would have driven up the price of the iPhone 5S and 6 but security researchers are still disappointed by Apple's decision on this front.
"I don't disagree about cost but if anyone can take tech and make it usable and affordable, it's Apple," according to Rogers. "There was speculation Apple would use that tech in TouchID, but in the end they didn't," he added.
Kaminsky said even the use of sub-surface scanning for fingerprint biometrics may not be unhackable, even though it's a hell of a lot better than what we have now.
"My worry is that - vein mapping notwithstanding - it'll be possible to compute subsurface from surface but obviously that's a way uglier problem, if only from a synthesis perspective, than the status quo," Kaminsky concluded. ®
Sponsored: Beyond the Data Frontier