iPhone 5S Fingerprint Security Can Be Easily Broken, Hackers Show

Apple says that the new iPhone 5S' fingerprint sensor is "a convenient and highly secure way to access your phone." The former is true. The latter, not so much. The fingerprint security can be easily broken. Jealous spouses and industrial spies, rejoice!


The usual Apple boosters bought into the company's claims without even questioning their claims. They said the iPhone's fingerprint sensor is different from other lesser fingerprint sensors because it can't be fooled—it uses your deep skin fingerprint. They could have also said it's different because it runs on magicks and unicorn sperm. It makes the same sense.

How to break it

In this video—and the accompanying article—hackers from the Chaos Computer Club in Germany claim that, in reality, the sensor is just the same as any other sensor. It runs at a higher resolution but it can be fooled just the same.

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID.

The group used a digital camera to photograph a fingerprint from a glass. Then used this to build a fake skin, which they used to access a "fingerprint secured" iPhone 5S without any difficulty.

First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.

The video above demonstrates that the hack works perfectly.

So, apparently and contrary to Apple's corpospeak—and all the echoes from the Cupertino chorus line—your iPhone's fingerprint security can be broken. With a camera, a laser printer, and some wood glue—just like every other fingerprint sensor in the world. It seems to have no special powers.


The fingerprint sensor is still convenient—it is, along with the new camera, why I'm getting a 5S myself—but don't count on it to protect any sensitive information in your iPhone. If you think someone may be interested in accessing your iPhone for whatever reason, they would be able to do it easily using this hack (and no, people don't need to steal the phone. Your spouse or your roommate can do this while you are sleeping or away, for example.)


Fried Yoda

It seems like everyone is digging to find extreme situations to discredit Touch ID. What if someone cuts of your finger? What if someone holds a gun to your head? What if someone waits for you to be asleep and touches your finger with your phone then? What if someone takes a high-res picture of your finger? Seriously, this is absurd. There will always be extreme circumstances under which any form of security can be cracked (what if the creator of MD5 was held in a torture chamber with a hot poker prodding his balls until he divulged how to crack it?). It's incredibly stupid to be writing articles about this because you're trying to make the exception the rule. If you want to educate people on whether or not to keep sensitive information on their mobile device, fine. But don't do it using extravagant scare tactics of situations that only exist in Mission Impossible movies.