Hacker group claims to have used fake fingerprints to defeat iPhone 5s Touch ID

Apple's iPhone 5s launched on Friday, and demand for the latest iOS smartphone is supposed to be huge so far. One of the things that Apple has promoted heavily about the 5s is the Touch ID feature, which is supposed to use a person's fingerprint to unlock the phone as well as other software and services. Now it appears that a hacker group has quickly found a way to defeat Touch ID.

According to a report on Reuters, the well-known German hacker group the Chaos Computing Club photographed a person's fingerprint and then printed it on a transparent sheet. The sheet was then used to make a mold for a fake finger. The mold could unlock an iPhone 5s with the Touch ID feature enabled.

One of the group's hackers, who goes by the online name Starbug, posted a note on the CCC's website as saying, "Fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

So far, Apple has yet to comment about the CCC's claims. The company is expected to make a statement about overall sales of the iPhone 5s and 5c this week.

Source: Reuters | Image via Apple

Report a problem with article
Previous Story

Oracle announces new database improvement, server, and backup appliance

Next Story

Xbox One won't offer sharing of game videos on Facebook or YouTube at launch

58 Comments

Commenting is disabled on this article.

The fingerprint reader is disabled after a few failed attempts. So if you are going to use this method, you better be sure you lift the correct fingerprint and do a flawless job of reproducing it because once it disables the fingerprint reader it is game over. A reboot doesn't give you extra tries either.

Would have been much better if the person managed to use a latent print already on the sensor.

Once someone figures out a reliable hack for that, Apple will disable the sensor in a future iOS update.

actually. facts does beat bs. neowin bs. that is. like i said. google the underlying technology for touch id. not 'these things' that you ant-boys just love to generalize about. maybe. just maybe. you'll learn a thing or two. lmao.

what. that's the best generalized come back you've got? i am sorely disappointed. oh and your girlfriend asked me to say hi. did i mention i'm sore? lol.

I can think of a number of ways to defeat this fingerprint scanner.. But the one thing i would like to know is what would happen if someone used the finger security and they say burnt their fingerprint off or managed to have say a large quilt?

Would they be locked out the phone then?

The iPhone requires a pin code to unlock the phone after 48 hours of not being unlocked by the sensor. Then you can set up another finger to authenticate with.

No, if the fingerprint doesn't work for 3 times it will ask for your passcode and you can unlock your phone without touchID

Vester said,
I can think of a number of ways to defeat this fingerprint scanner.. But the one thing i would like to know is what would happen if someone used the finger security and they say burnt their fingerprint off or managed to have say a large quilt?

Would they be locked out the phone then?

You can't burn your finger prints off, they'll regrow in the scar... but they tend to have some weird effects. Immediately you'd not be recognized for access to the phone it it was really bad, but at the same time you probably wouldn't want to use a phone.

But still, the finger print scanner isn't setup as the sole entery point for the phone. You can fall back to using the touch pad to unlock with the passcode as you'd normally do.

Hawk^ said,
No, if the fingerprint doesn't work for 3 times it will ask for your passcode and you can unlock your phone without touchID

Didn't know that.

aya i knew about the growing back i was meaning in short term Nice to know there is a backup (don't have an iphone, don't like um but did wonder.)

Well to be fair. Using the fingerprint is convenience more than security. the lock code/swipe is recorded or seen without problems as well.. still wouldnt use the fingerprint for the sake of the principle of data economy. a lot of people should use the internet more with those principles

Not really. It's often faster to just punch in a PIN especially when the scanner gets grungy with too many fingerprints. I found I often just used the keypad instead of messing with it.

Spicoli said,
often faster to just punch in a PIN especially when the scanner gets grungy with too many fingerprints. I found I often just used the keypad instead of messing with it.

Is that your experience with the Atrix or the iPhone?

That's my experience with all fingerprint scanners. It's not like it's a new thing. And, no, Apple putting their logo on it doesn't make it magical and suddenly work better than the hardware they just bought. Don't be a sucker to marketing.

Spicoli said,
That's my experience with all fingerprint scanners. It's not like it's a new thing. And, no, Apple putting their logo on it doesn't make it magical and suddenly work better than the hardware they just bought.

So you haven't actually tried the iPhone's? As for it being magical or not, "Any sufficiently advanced technology is indistinguishable from magic."

Pretty much every single review I've read claims that it works exceptionally well and that its implementation is much improved over previous solutions on mobile phones.

CSharp. said,

So you haven't actually tried the iPhone's? As for it being magical or not, "Any sufficiently advanced technology is indistinguishable from magic."

Pretty much every single review I've read claims that it works exceptionally well and that its implementation is much improved over previous solutions on mobile phones.

They all work well new. The easier you set them to work by changing the confidence level the more unsecure they become too.

Yep cause the common crook will stalk you for sometime, dust for prints and then make a copy so he can unlock your phone once he steals it.. Its a mobile guys not a safe in Warren Buffets house.

So what they've done is pretty much what mythbusters did a while back?

Still, finger print scanners have been the bane of security for as long as they've been out. From wet towels, hot water bottles to paper photocopies and mold imprints, it's not going to stop someone from unlocking it... and even if this was the best security on a iPhone, it just means there is more lesser secure parts that attacks can be made upon.

A fingerprint may be unique but just like a fingerprint an string of random numbers can be seen as "unique" - once you have the numbers/print it's just a matter of getting it into the system

Auzeras said,
A fingerprint may be unique but just like a fingerprint an string of random numbers can be seen as "unique" - once you have the numbers/print it's just a matter of getting it into the system

At least with a string of numbers you can change said numbers.

Good luck changing your finger print

I think it's just a basic protection, assuming that most people won't go through the hassle of taking the fingerprints , and then making a mold.

The hassle? What to setup something so you don't have to use a code to get into your phone every time! OH BOY DON'T MAKE ME GO THROUGH THE HASSLE OF THAT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Spicoli said,
As usual the reality doesn't match the marketing.

Actually it does... Clearly you still refuse to read the reviews...
Trolling as usual...

This comes back to what I've said in the past - if you're going to leave your phone laying around unattended then quite frankly you deserve all the bad stuff that'll occur to the phone. Time for people to stop expecting technology to fill in as a substitute for personal responsibility.

For sure, but if manufactures use enough security that it renders a phone useless upon theft or loss then we should see a drop in crime and a rise in the number of phones being returned to their rightful owner.

Spicoli said,
And having to buy a replacement because you forgot your password.

What? Why would you need to do that, just reset and setup again if absolutely needed!

Mr Nom Nom's said,
This comes back to what I've said in the past - if you're going to leave your phone laying around unattended then quite frankly you deserve all the bad stuff that'll occur to the phone. Time for people to stop expecting technology to fill in as a substitute for personal responsibility.

In NYC, groups of guys straight up rob people for their phones in public...

Spicoli said,

If you can set it up again, so can anyone that steals it.


Unless, if the phone is stolen and the IMEI is put in a black list.

Spicoli said,

If you can set it up again, so can anyone that steals it.

That's not the point, this is security related. If I lose my phone I want to make sure that no one can access my data (emails, pictures, files etc.) This is done via a 4 digit pin on the device that only I know (same level of security given to my credit card/debit cards).

I can also remotely wipe the device3, then call the carrier to get them to block it. it will then take a bit of effort for someone to continue to use this device, but at the very least my information is safe.

Well in the case of theft, all you have to do is DFU restore the phone. The only thing a password or fingerprint will protect is the data.

Fritzly said,

Unless, if the phone is stolen and the IMEI is put in a black list.

NPR had a story about cell phone crime, they got around this by selling the phone overseas to different markets to get around the blacklist.