iPhone Hack Fools Touch ID with Hand Photos

Jan Krissler, a.k.a. Starbug, demonstrates how he used a public photo of German Defense Minister Ursula von der Leyen to recreate her fingerprint.

Jan Krissler, a.k.a. Starbug, demonstrates how he used a public photo of German Defense Minister Ursula von der Leyen to recreate her fingerprint.

A photo of your hand can be used to recreate a fingerprint that could unlock your Touch ID-locked iPhone 6. So says German hacker Jan Krissler, who used public photos of German Defense Minister Ursula von der Leyen, taken at a news conference, to recreate the minister's fingerprints. 

Krissler, who goes by the hacking pseudonym Starbug, previously showed that he could unlock a Touch ID-locked iPhone 6 by forensically lifting a fingerprint from a surface such as a glass or the iPhone's own screen. But now Krissler has shown that he can thwart Touch ID even without physical access to the iPhone owner's fingerprint.

MORE: Best Mac Antivirus Software

Speaking on Dec. 27 at German hacking group Chaos Computer Club's annual convention in Hamburg, Krissler demonstrated that he used a photo of  von der Leyen's thumb, taken at a distance of 3 meters with a 200er-Objektiv lens at a news conference in October, as well as several other photos from other angles, to recreate von der Leyen's fingerprint.

Then Krissler used a commercial software product called VeriFinger to synthesize these photos into a fully imaged fingerprint, which should then be able to fool biometric security devices such as Apple's Touch ID fingerprint scanner, found in the iPhone 5S, iPhone 6 and 6 Plus, iPad Air 2 and iPad Mini 3. Krissler said that other image-processing software aside from VeriFinger could be used as well.

Once he has the digital image, Krissler can use the same method he previously described for unlocking Touch ID with physically obtained fingerprints: he inverts the colors of the obtained print, so the ridges of the fingerprint are rendered in white and the grooves in black, then prints the image in black ink. The black ink on the paper provides just enough texture to recreate a fingerprint's three-dimensional shape, but inverted.

Krissler then pours glue or plaster over the print of the fingerprint. The ink print serves as a stamp, imprinting the fingerprint's whorls and ridges into the glue and creating a mold that can successfully unlock a Touch ID-locked iPhone 6. 

Krissler says that even mobile phone cameras, with the right lighting, could be used to capture the necessary photos. He's also working on using public photos of a person's face to image his or her iris.

So what should politicians and other security-minded people do to protect their biometric data? Wear gloves, says Krissler. The full video of Krissler's presentation (in German) is available on YouTube

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can email Jill at jscharr@tomsguide.com, or follow her on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.