Touch ID hack verified as legit

Security researchers confirm that a member of the Chaos Computer Club has successfully hacked Apple's iPhone 5S Touch ID fingerprint sensor.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

Well, that didn't take long. Barely 48 hours after the iPhone 5S hit the streets, its Touch ID fingerprint sensor has been fooled by a Germany-based group called the Chaos Computer Club and confirmed independently.

Independent security researchers confirmed that the successful iPhone hack, by a researcher named Starbug, unlocked the iPhone 5S with a fingerprint that had been transposed onto a thin strip of what appears to be latex. Videos by Starbug and the security researchers who were able to replicate Starbug's methodology don't show how the fingerprint was transposed to the latex, but they do show the someone other the fingerprint's owner unlocking the phone while wearing the latex strip on the end of their finger.

"[Starbug] has talked about it. He's not trying to hide it. He's still working on a video to demonstrate it," said Robert Graham, who helped organize the contest to hack the Touch ID sensor started by Nick DePetrillo.

"Other people have used [Starbug's] vague description to replicate it, so we know it works," Graham said.

The hack has been replicated in YouTube videos by Marc Rogers, as well as Mudge Zatko and Dominick Rizzo working as a team, embedded below.

The bounty that Starbug earned totals more than $11,000 at the time of writing, and includes bottles of alcohol, a portrait, a book of erotica, and a free patent application covering the hack. Donations continue to come in, even though the contest is technically over.

The cash value had been more than $20,000 going into the weekend, but the person who said he was going to contribute $10,000 has since refused to add his funds to an escrow account and will pay only if some unusually strict and somewhat contradictory terms and conditions have been met.

Starbug has said that he will donate the funds to "Raumfahrtagentur," described on istouchidhackedyet.com as a spinoff from the Berlin chapter of the Chaos Computer Club.

Graham said in a blog post that the hack proved that he and DePetrillo were wrong about the difficulty of the hack, but that it was still important research. "Just because it's too much trouble for you doesn't mean it's too much trouble for a private investigator," or other enterprising people who want access to your phone's data, he said.

He added that just because the sensor can be hacked doesn't mean that you shouldn't use it. Touch ID is not "completely useless," he said.

"Half the population doesn't lock their phone at all because it's too much trouble entering a four-digit PIN every time they want to use it," Graham said. Using Touch ID instead of using your phone without any protection is "a win for security," he said.

Ways to protect yourself from the hack include using a finger other than your index finger, such as your ring or pinky fingers, since those are more difficult to copy from other surfaces.