Lookout Security has confirmed that the iPhone 6 is vulnerable to the same fingerprint-spoofing technique that we saw with its predecessor in the iPhone 5s.
By creating a copy of a fingerprint that can be lifted from a shiny surface using a specialized glue (normally reserved for criminal investigations and forensics labs), hackers can create a falsified imprint that easily fools the Touch ID verification system.
Researchers are concerned about the lack of improvement in the system that Apple has shown in between the almost two years that each device hit their respective markets, and now that Apple Pay has been thrown into the mix, there is more incentive than ever for hackers to use this technique to crack through someone’s personal device.
“Sadly there has been little in the way of measurable improvement in the sensor between these two devices,” explains Lookout researcher Marc Rogers in a blog post. “Fake fingerprints created using my previous technique were able to readily fool both devices.”
Rogers also lamented the inability for users to customize their security options, pointing out the lackluster settings which could potentially give iPhone owners more control over the amount of time that a hacker would need between using TouchID and entering a passcode on the phone before they are locked out for a period of 15 minutes or more.
“Furthermore there are no additional settings to help users tighten the security, such as the ability to set a timeout for TouchID after which a passcode must be entered. In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part.”
Of course, in order to get access to the iPhone TouchID hack, you still need to have a way to physically copy the fingerprint of the user who’s phone you’re trying to access, which is no simple feat.
Not only that, the hacker would also need to know the intended target’s personal PIN code, which if they’re smart, isn’t written down or logged anywhere but their own head. Because of this, the most effective method of protecting yourself is to create a complex password that doesn’t line up with any of your other accounts, including that found on your debit or credit card.
“Just like its predecessor – the iPhone 5S – the iPhone 6’s TouchID sensor can be hacked,” Rogers concludes. “However, the sky isn’t falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint – any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.”
All in all, while the concern should still be strong for anyone who owns the device, it’s unlikely that we’ll see this technique applied in anything but the most high-security clearance situations, such as those implemented by intelligence agents working at the highest levels of nation-state surveillance and spycraft.