A couple of days after iPhone 5s with TouchID technology was launched, it grabbed the headlines for all the wrong reasons - a hacking group that calls itself Chaos Computer Club (CCC) said biometrics security couldn't prevent them from bypassing the lock screen and accessing all the data in the latest generation iPhone.
The group said that all that was needed was a glue model of the user's fingerprint.
"This demonstrates - again - that fingerprint biometrics is unsuitable as access control method and should be avoided," the group blogged.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token," said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
The blog kicked up a storm and Apple critics were quick to dismiss the biometrics security technology as nothing more than a marketing gimmick by Apple to boost the sales of its latest smartphone.
Is iPhone 5s really secure or just a marketing ploy? To answer this question, let's take a closer look at the technology and how CCC had hacked into the smartphone.
Apple had spent a fortune buying the patented technology from UK biometrics company Authentec and TouchID is, indeed, one of the most advanced forms of biometric security around.
The TouchID reader not only senses the pattern of the user's fingerprint, but also scans the living cells underneath the skin using radio frequency field sensing (RF), to detect the moisture and heat of the living skin. It means that it is able to recognize the difference between a live finger and a dead finger.
And, here's how CCC circumvented the security -
First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-senistive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use.
The hackers also had to breathe on their latex fake to make it warm and moist and fool the reader into thinking it's a live skin.
Take a look at the video.
According to CCC, TouchID reader is no different from other biometric readers in the market. "Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake," said hacker Starbug, who had successfully circumvented the lock screen.
Fingerprints, the hacker said, " should not be used to secure anything."
"You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints," the hacker said.
The hack could be a big blow to the biometrics industry and to Apple, but the company had no choice, as upping the TouchID technology would make it very sensitive, meaning thereby that it wouldn't work on people with nicks, cuts or any form of damage on their fingers.
However, iPhone 5s users can breathe easy because of 2 big reasons -
1. The process of hacking into the iPhone 5s is ridiculously laborious and requires the patience and skill of a crime scene technician (or an espionage agent) - The thief would first need to know which finger the user has used to unlock the device and then lift a clean print of the correct finger of the user. That means, the thief would need to stalk the user and know where the user's likely to leave her fingerprint and then find a way to access it and lift it.
And, how many thieves would have a camera capable of taking images at 2400 dpi as well as a 1200 dpi printer?
2. TouchID is not the only technology the thieves have to bypass - iPhone 5s doesn't just have the TouchID. It also has the regular passcode protection system and it doesn't let you create the fingerprint password without also creating a regular passcode (and you're also required to enter the regular passcode every time you restart the device and after every 48 hours have lapsed since you last used it).
TouchID will also automatically disable itself after 5 failed attempts and you'll need a PIN code to unlock it.
And, let's not forget, the user can also remotely erase or lock the iPhone via the iCloud.
In other words, the iPhone 5s TouchID system won't be enough to protect your data against an attack mounted by the likes of Jason Bourne, but for the average consumer, it offers a relatively more secure system of accessing the device, and is your best bet yet against common thieves and snoopy friends.
Meanwhile, here's a word of advice: Avoid storing sensitive data on your mobile devices because no locking mechanism - be it passcodes or biometrics - is 100% fool-proof.