Apple’s Touch ID authentication system can be defeated using a well-honed technique for creating a latex copy of someone’s fingerprint, according to a German hacking group.
The Chaos Computer Club (CCC), which hosts an annual hacking conference and publishes computer security research, wrote on its blog that their experiment shows that fingerprint authentication “should be avoided.”
Apple introduced Touch ID with its latest high-end iPhone 5S on Sept. 10. A person’s “fingerprint is one of the best passcodes in the world. It’s always with you, and no two are exactly alike,” according to the company’s website.
A hacker who goes by the name Starbug found that while Touch ID scans at a higher resolution, it can be beaten by increasing the resolution of the victim’s fingerprint.
The CCC posted a video of what it wrote is a successful attack. Faking the print involves photographing the victim’s fingerprint at 2400 DPI. The image is inverted and laser printed at 1200 DPI onto a transparent sheet using a “thick toner setting,” according to the CCC.
Pink latex milk or white wood glue is smeared into the pattern created the toner. After it cures, a sliver of latex is lifted from the sheet, and blowing on it gives a bit of moisture like that on a human finger. It then can be placed on the iPhone’s fingerprint sensor, the CCC wrote.
The technique is not new. “This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market,” the CCC wrote. Apple officials did not have an immediate comment on the CCC’s findings.
Security experts have long warned that fingerprint authentication should not be solely relied upon, but rather used in concert with other technologies. Photos of fingerprints and molds have successfully bypassed fingerprint checks.
Touch ID is intended to reduce the number of times a person must enter a passcode, but Apple still requires a passcode in some circumstances, such as restarting the phone and if the devices hasn’t been unlocked in two days.
Changes to the fingerprint settings also require a passcode, which can be configured to be longer and more complex than four digits.