Hackers give Apple security the finger

Hackers2WASHINGTON: The bad news is hackers have broken through the fingerprint-based security system that Apple so proudly introduced in its latest iPhone 5s. The good news is that they have done it without decapitating anyone’s fingers, as some experts fear could become the norm in criminal circles.

Less than 72 hours after Apple bragged about its cutting edge breakthrough that analysts said holds vast promise in advancing biometric transactions, a hacking team from the Chaos Computer Club (CCC) fingered the technology by successfully bypassing the security of Apple TouchID, using what it called “easy everyday means”. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger to unlock an iPhone 5s, CCC boasted on its website, even attaching a brief video of the digital break-in. The site published a how-to in a demonstration of how human cunning finds ways to get around the every wrinkle and roadblock that nature and human ingenuity conceives.

First, it says, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white wood glue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market. “In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake,” said the hacker with the nickname Starbug, who CCC credited with performing the “critical experiments” that led to the successful circumvention of the fingerprint locking. “As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” Starbug said.

CCC’s agenda is clear. It’s not so much to trash Apple’s advances as to rubbish the field of biometrics itself. “We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can’t change and that you leave every whereas a security token,” said Frank Rieger, spokesperson of the CCC, adding, “The public should no longer be fooled by the biometrics industry. Biometrics is a technology designed for oppression and control, not for securing everyday device access.” Apple had not responded to news at the time of writing.

The club also attacked fingerprint biometrics in passports introduced in many countries, saying this has been done despite the fact that no security gain can be shown by this global roll-out. Many social safety programs across the world, including India’s Aadhaar, are biometriccentered. The global biometrics market is said to have surpassed $10 billion in 2013 and is growing at more than 15% annually.

source : Times of India