CCC Says Apple iPhone 5S TouchID Broken

hypnosec writes with word that the Chaos Computer Club claims to have "managed to break Apple's TouchID using everyday material and methods available on the web. Explaining their method on their website, the CCC hackers have claimed that all they did was photograph a fingerprint from a glass surface, ramped up the resolution of the photographed fingerprint, inverted and printed it using thick toner settings, smeared pink latex milk or white woodglue onto the pattern, lifted the latex sheet, moistened it a little and then placed it on the iPhone 5S's fingerprint sensor to unlock the phone." Update: 09/22 21:32 GMT by T :Reader mask.of.sanity adds a link to a video of the hack.

Re:If true

[Lehk228]

fingerprint identification is fundamentally and irredeemably broken. no other authentication method leaves copies of itself all over the place.

everything else is an arms race between verifying it is a finger and pretending to be a finger.

Re:Easy!

[formfeed]

Based on their respective histories, a sensible person would probably trust CCC over Apple.

Yes, I agree. No idea why this was modded "troll". There is a decent history to show that.

CCC:
Did this before. They lifted the fingerprints of the German minister of Interior from a water glass and turned it into a little stamp so you can place him now at any crime scene. (The hack was actually to show just how idiotic government use of biometric data is).

Apple:
I of course don't want to say anything negative against this good company, but some people might say that they have a history of over-hyping things.

Re:Easy!

[swillden]

It's a capacitative scanner. Whether you like it or not, that's not imaging the surface layer of skin, but the complexity of what's behind it.

You're correct that it doesn't image the surface layer, but wrong about it getting what's behind the skin. Capacitive sensors obtain an image of, essentially, the back side of the skin. The ridges are there, but no other subdermal structure is visible, and the ridges are the same ones visible on the surface, so a surface image (e.g. a skin-oil negative), provides a fine panel from which to construct a usable fake finger.

FWIW, I used to build biometric authentication systems, especially fingerprint stuff. I did security analyses of fingerprint scanners (optical and capacitive) for Visa, wrote the Linux kernel driver for the AuthenTec scanner, and a bunch of other stuff over 10-year period. I've never designed them and don't claim to fully understand the physics (though I've consulted extensively with people who do), but I've worked with them, a lot, and I know very well what they do and do not do.