Slashdot Mirror
Apple's TouchID Fingerprint Scanner: Still Hackable
electronic convict writes: A year ago, security researcher Marc Rogers demonstrated how to spoof the TouchID sensor in the iPhone 5S using some Elmer's glue and glycerol — oh, and a high resolution camera and a laser printer. Has TouchID security improved at all on the iPhone 6? Not really, Rogers reports in his latest post, in which he again hacks the iPhone 6's TouchID sensors using the same method as before. "Fake fingerprints created using my previous technique were able to readily fool both devices [the 6 and the 5S]," he reports. Rogers, however, says there's no reason to panic, as the attack requires substantial skill, patience and a good clear fingerprint. As he writes: "We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats."
About 10 years ago I read a story about a Jr. High school in Australia (ages 13-15) that had set up finger print readers at all the computers. Attendance was taken by students logging into a classrooms computers. This was all fine until one day the teacher needed a number of students to do a task. The attendance showed everyone there, but in reality more than half were truant. One student was covering up something, and the nosy teacher pulled off the paper to find..... candy gummy bears. "I was hungry" But that wasn't it at all. The teacher noticed the bears were half round with names beside them. Press finger into bear, then flip inside out and wrap around another finger (or a pencil). Insert into reader, logged in. Use lasers if you want, but that's doing it the hard way.
and it is much easier to take a peek at my screen one of the 20 times a day I type in my 4 digit code than to fake the fingerprint.
They better hurry, too. TouchID gets locked out after powering off the phone, 48 hours of inactivity, or a few failed attempts. After any of those, it will only respond to the passcode.