When I heard the new Apple iPhone will come with a biometric scanner, I thought: what will the security experts say? Since the NSA & friends affair I am much more sensitive to the topic. Actually the german Chaos Computer Club hacked it recently. The CCC is a german group of hackers. They are pretty often cited by the press because they are known to find each and any security issue. They hacked the next generation of the governments identity card and they warned before the “fairy tale”of “email made in Germany”. They don’t have an english site to my knowledge.
First, check this video which shows how it works:
(note: the hacker uses his index finger to lock the phone, but his middle finger to unlock).
The CCC says, the materials for this hack are available in each household. The fingerprint was made visible from an used bottle. It was done with the steam of superglue, which binds to the fatty print. They photographed the fingerprint with a standard digital camera (2400 dpi). Then they cleaned up the image on the computer, inverted it and printed it to a transparent foil with at least 1200 dpi. They put some Latex milk or white wood glue on it. When it is dry, it the fingerprint has reproduced to the fake finger. With a little moist from your breath it will open your iPhone.
While a lot of people believe Apple invented something extraordinary, the CCC wrote Apples sensor just has a higher resolution compared to other sensors. They added it is an illusion and a stupid idea to take something like that for a security token. Fingerprints are left on countless places. Biometry can be used for surveillance, but not to prevent unauthorized access, so they say.
The CCC recommends iPhone users to not trust fingerprints for securing sensitive data. It is much easier to force somebody to put a finger on the phone than to speak out a complex password.
According to the MDR, The CCC got a price of 13.000$ for hacking the iPhone from the CT, a famous german IT magazine. CT mentioned the money was not so important, it was just the interest to see if the iPhone can be hacked.
While the CCC stays very sceptic against fingerprints, the CT is not so critical. They say, it is unlikely users protect their phone with a complex password in daily use and leave it unlocked. Therefore a fingerprint sensor still makes sense, because it is much harder to create such a fake finger. In other terms: better a fingerprint sensor than no protection at all.
Under the light of the NSA, I wonder how many people may have an interest in a fingerprints database. I wonder how many NSA backdoors exist. I wonder if somebody could steal my fingerprint from my iPhone and use it for other, not yet known, services in the future. I always was sceptic with biometry and still am. If you are interested in security things, I also recommend Bruce Schneiers blog.