The iPhone 6's TouchID fingerprint scanner can be fooled with some basic forensic work and a homemade fake fingerprint, one security expert has found — just as the iPhone 5s' TouchID sensor was.
That's bad news for Apple, especially since its new Apple Pay mobile payment system will use TouchID to verify payers. To be fair, TouchID seems to have improved slightly since last year — just not enough to keep out hackers with a little patience and a few episodes of CSI under their belts.
Last year, Germany's Chaos Computer Club proved it was able to unlock an iPhone 5s using a technique worthy of CSI: Team member "Starbug" lifted a fingerprint of the iPhone 5s' owner from a surface such as a glass, or even the iPhone itself, using fingerprint powder and fingerprint tape. He then photographed the print, inverted its colors (so the fingerprint's ridges were white or neutral and the spaces between the ridges were black) and printed it out on a high-definition laser printer.
This printed fingerprint served as a sort of stamp for the finger in question. Starbug put glue over this print. The ink used in the print left impressions in the glue, so that when the glue was dried and peeled away, it contained an exact replica of the original human fingerprint. Starbug then put this glue replica on the iPhone 5s' TouchID sensor, and the phone unlocked.
Using a slightly more complicated technique that involved etching the fingerprint image into plastic, Marc Rogers of San Francisco-based Lookout Mobile Security quickly proved he was also able to unlock an iPhone 5s with a fake fingerprint.
Rogers' technique, he wrote in a blog post yesterday (Sept. 23) also works on an iPhone 6 and 6 Plus. To be fair, his was quite an elaborate process, and probably beyond the resources of your average smartphone thief.
Rogers also noted that the iPhone 6's TouchID sensor had seen some slight improvements. The scanner was now more sensitive and therefore more accurate, with the result that fake prints had to be nearly perfect to pass the scanner. The improvements also resulted in fewer false negatives, Rogers says, though that's more a benefit for regular iPhone users than a security measure.
"None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just 'lift your fingerprint' from the phone’s glossy surface and unlock the device," Rogers wrote.
In his blog post, Rogers concluded: "As it stands, TouchID remains an effective security control that is more than adequate for its primary purpose: unlocking your phone."
- iOS 8 Adds Serious Security Improvements
- 7 Scariest Security Threats Headed Your Way
- Best PC Anti-Virus Software 2014
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.