Apple's iPhone 5S
is off to a running start with record-breaking sales
, but it appears that the device's much-hyped security feature Touch ID has already been cracked. A German biometrics hacking group called the Chaos Computer Club posted a video online on Sunday demonstrating how they've bypassed the iPhone 5S' fingerprint scanner.
The hackers say they spoofed Touch ID by taking a high-resolution photo of the users fingerprint and inverting the image, which is then printed onto a transparent sheet, using a thick toner. A thin layer of wood glue or pink latex milk was then poured over the printed image. Once dried, a thin layer of latex is created that can be used as a fingerprint.
"Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake," a hacker nicknamed Starbug
, who performed the test, saidon the group's blog. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."
The team photographed the fingerprint at an extremely high resolution of 2,400 dots per inch and printed the inverted image at 1,200 dpi. By comparison, a typical online photo is about 72 dpi, while print images are typically 300 dpi. Apple uses a 500 dpi fingerprint sensor.
According to CNET
, Starbug has been offered a reward through a website created by security researcher Nick DePetrillo, called IsTouchIDHackedYet.com
. The site took pledges from donors who agreed to pay the hacker who was first to crack Touch ID. The total amount so far has passed $14,000.
Fingerprint scanners have been tricked in the past and security researchers warn
that even biometric security is not impentetrable. In 2002, a Japanese cryptographer Tsutomu Matsumoto used gelatin and a plastic mold to fake a fingerprint.
In 2009, Agence France-Presse (AFP) reported
that a South Korean woman spoofed a multimillion dollar fingerprint sensor with a piece of tape on her finger, in order to gain entrance into Japan.
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics," Frank Rieger, spokesperson of the Chaos Computer Club, said in a blog post. "It is plain stupid to use something that you can't change and that you leave everywhere every day as a security token."
Apple has not responded to a request for comment.