Chaos Computer Club Breaks Apple Touch ID ⇥ ccc.de

Frank Rieger of the Chaos Computer Club:

A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

That was fast.

But their argument that “fingerprint biometrics is unsuitable as access control method and should be avoided” is wrong. The method they used to gain access is impractical to be done quickly or surreptitiously:

First, the fingerprint of the enroled [sic] user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.

That’s broadly similar to using the smudges on your display to work out what numbers are in your passcode.

In their support documentation, Apple describes it as such:

Your fingerprint is one of the best passcodes in the world. It’s always with you, and no two are exactly alike. Touch ID is a seamless way to use your fingerprint as a passcode.

The clearest flaw with using a fingerprint as a passcode is, as Al Franken put it, “[p]asswords are secret and dynamic; fingerprints are public and permanent”. But, for practical purposes of everyday people, a fingerprint scanner is certainly no less secure than a numerical passcode, and significantly more convenient.

Also, this…

Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.

…is a bunch of conspiracy theory laden bullshit.