Pierluigi Paganini
September 24, 2014
A few days ago we discussed about the availability on the Internet of the exploit for iOS 7.x based devices, due to the diffusion of Apple Smartphones and tablets the security issued attracted the attention of the media as already occurred in the past for other flaws. One of the most debated security issue is related to the Touch ID fingerprint reader that appeared flawed for the iPhone 5S. My readers remember that exactly one year ago the Chaos Computer Club claimed to have bypassed the biometric security technology designed by Apple simply by making a copy of a fingerprint photographed on a glass surface.
Now Apple has released the new iPhone 6, a jewel rich of improvements, especially under the security perspective, but experts have discovered that Apple Touch ID still vulnerable to hack.
Marc Rogers, chief security researcher at Lookout Mobile Security, discovered that the Touch ID fingerprint reader on the new iPhone 6 can be fooled by the same trick that was working with iPhone 5S.
“I don’t think people need to worry just yet, but there are distinct flaws that could lead to problems down the line,” “Sadly there has been little in the way of measurable improvement in the sensor between these two devices,” Rogers wrote in a blog post. “Fake fingerprints created using my previous technique were able to readily fool both devices.”
In time I’m writing Apple still hasn’t responded to a request for comment to the researcher. Technically Rogers used fingers coated in a gummy substance like Elmer’s glue to lift and replicate fingerprints.
“I used a technique demonstrated by Tsutomu Matsumoto in his 2002 paper “The Impact of Artificial “Gummy” Fingers on Fingerprint Systems”. In this technique, you take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called “etching” which washes away all of the exposed copper leaving behind a fingerprint mold. Smear glue over this and when it dries, you have a fake fingerprint.” explained in a previous post describing the hack on iPhone 5s.
The impact of the flaw could be serious considering that Touch ID is the authentication system adopted by Apple for Apple Pay, a system implemented starting from the latest iPhone 6 and based on new near-field communication chip and credit card management software with Touch ID to allow people carry out mobile payments by tapping their device with an NFC reader and confirming the purchase with their fingerprint. Touch ID is a key component for the overall payment architecture, it was used with the purpose to make attractive to consumers the new payment method
Rogers explained that the sensor has been improved since its previous version but that anyway if fails the fingerprint validation.
“Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it.” said Rogers.
Rogers hasn’t demonized the Touch ID, he considers it an effective security control that is anyway that is underused with unique usage for unlock of the phone.
Anyway Rogers remarks that since the system involves credit cards it would be better protected by Touch ID and a second authentication factor.
Let’s wait for Apple reply.
(Security Affairs – iOS6, Touch ID)
