Apple's Touch ID still vulnerable to hack, security researcher finds

The fingerprint reader on the iPhone 6 can be fooled by the same trick that unlocks the iPhone 5S -- but it didn't have to be that way.

iPhone 6 and 6 Plus
The Touch ID readers on the iPhone 6 and its larger Plus sibling are susceptible to a 12-year-old hack. Josh Miller/CNET

There's a lot that's new in Apple's just-released iPhone 6, but one feature hasn't changed: Faked fingerprints can still fool the Touch ID fingerprint sensor.

Security on the Touch ID fingerprint reader has been tightened, but only marginally, said Marc Rogers, chief security researcher at Lookout Mobile Security.

"I don't think people need to worry just yet, but there are distinct flaws that could lead to problems down the line," he told CNET. Rogers wrote in a blog post that he was able to use the same low-budget technique to fake fingerprints and unlock the iPhone 6 as he did when he became one of the first researchers in 2013 to hack Touch ID on the iPhone 5S.

"Sadly there has been little in the way of measurable improvement in the sensor between these two devices," he wrote. "Fake fingerprints created using my previous technique were able to readily fool both devices."

Apple did not respond to a request for comment.

When Apple first introduced the Touch ID fingerprint reader as an added security measure in the iPhone 5S, security researchers quickly demonstrated that a decade-old technique could be used to spoof a fingerprint and unlock the phone. In 2002, Massachusetts Institute of Technology engineering professor Tsunetomo Mastumoto demonstrated (PDF) how fingers coated in a gummy substance like Elmer's glue could be used to lift and replicate fingerprints.

A coming wrinkle to the situation is that Touch ID is about to become the security touchstone for Apple Pay, a system that uses the iPhone 6's new near-field communication chip and credit card management software with Touch ID to allow people to use their iPhones in place credit cards. Touch ID will be required to unlock Apple Pay, which is expected to open to the public sometime in October.

Rogers said, "Turning the phone into a giant credit card, who knows what criminals will do to make it work?"

Although he was careful to reiterate that he's still a fan of Touch ID because hacking it "requires skill, patience, and a really good copy of someone's fingerprint," he was disappointed that Apple didn't make it better.

"AuthenTek [the firm Apple bought for its fingerprint reading technology] had scanners that were capable of looking deeper into the finger, so that they could look past a fake fingerprint. I would've liked to see that implemented," Rogers said. He added that although Apple wants as simple a payment system as possible, to make it as attractive to consumers as possible, since the system involves credit cards it would be better protected by Touch ID and a second authentication factor -- such as a PIN, password, or pattern.

Even if adoption of Apple Pay is slow, as some people are expecting, history shows that hackers often go where the money is, and that could make the Touch ID a hot-button item indeed.

Featured Video