The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
As I said that other day, who cares. The CCC is making this out like there is no security with TouchID, which is a falsehood. In fact there’s a lot more security even with this vulnerability.
Let’s walk through a few facts:
- The CCC hack requires a near perfect, smudge free, finger print to be photographed at a very high resolution, cleaned up digitally and printed at a very high resolution. Once all of that is accomplished then you can unlock a phone. Yeah, not exactly something that can be done quickly.
- $10 says I could remote wipe my iPhone before you could replicate my fingerprint and unlock it.
- With TouchID a user has very little reason not to create strong and complex passcodes and Apple ID passwords for their information. Meaning you are increasing the non-you aspects of your security. And because iOS 7 requires your passcode upon restarting the iPhone, I could easily accomplish wiping my phone before you could accomplish your task of beating TouchID.1
So yes, TouchID isn’t perfect, but we had a reasonable expectation to assume this may be the case. However, the other items that Apple has implemented makes TouchID a pretty secure system. Because while you could beat my fingerprint under ideal conditions, I could likely wipe my iPhone under shitty conditions before you beat my fingerprint.
Assuming you don’t carry a portable faraday cage. There does exist the possibility that you have my fingerprint already replicated when you swipe my device, I’ll take my chances on you being able to do that. ↩