That didn’t take long. The new iPhone 6 has only been on sale for a couple of days and a security researcher has hacked its Touch ID fingerprint sensor. Again.
The hacker was Marc Rogers, principal security researcher at mobile device security vendor Lookout. He quickly proved the iPhone 6 fingerprint sensor was vulnerable to the exact same hack as the Touch ID on the iPhone 5. He hacked that shortly after the iPhone 5 was released, too.
The good news is that the security researcher says hacking Touch ID is so complicated, that most hackers wouldn’t bother. Your iPhone 6 is, for all practical purposes, safe.
“Don’t panic,” he told Business Insider. “I don’t see a risk to consumers in any way.”
The bad news is that this won’t last, he cautions. With the introduction of Apple Pay, where Apple hopes to turn every smartphone into a credit card protected by Touch ID, criminals now have a huge financial incentive to come up with methods that make hacking the fingerprint sensor faster and easier.
And Apple missed some big chances with the iPhone 6 to make that impossible, Rogers told Business Insider.
For both the iPhone 5 and the iPhone 6, Rogers hacked Touch ID by creating fake fingerprints. He lifted a fingerprint from a shiny surface. He printed a high-resolution copy of the fingerprint with a special printer and transferred that to something called “transparency film.” He used that to develop a mould of the fingerprint with something called “photosensitive PCB board.” He poured glue into the mould and voila! He had a fake fingerprint.
But the process took hours and required over $US1,000 worth of gear, he said.
“It was very difficult for me to get a usable fingerprint and I had unlimited attempts. But a criminal only has one attempt and a few seconds to unlock it,” he told us.
That said, he’s frustrated Apple didn’t make improvements to Touch ID that would have detected the fake fingerprint.
“The biggest take-away from this is that I’m disappointed in Apple. The fingerprint sensor problem has been around for a long time. A fingerprint is easy to reproduce. We leave our fingerprints around every time we touch a shiny surface,” he says.
The iPhone 6 Touch ID “missed clues,” he said. For instance, it didn’t look for conductivity. Conductivity in your skin is what makes the touchscreen and why your iPhone doesn’t work with gloves.
Or, it could have used “different spectrums of light to see structures below the skin, to see that you are not wearing a fake fingerprint,” he says, adding that with the fingerprint scanning company Apple bought in 2012, AuthenTec, Apple “gained access to this technology.”
“We’ve seen Apple take expensive, inaccessible tech and make it affordable and accessible. They could be doing the same for this problem,” he says. For example, he says “Apple consumer products were among the first to defend against password guessing” attacks, known as “brute force attacks.”
Maybe one day Apple will tackle those problems. For now, watch Rogers use a fake fingerprint to fool the iPhone 6: