Touch ID means you can be me — or — The return of the Gummy Fingers

Posted: September 24, 2013 in Uncategorized
Tags: , , , , ,

Apple recently announced their latest iPhone — the 5S — and among the new features that has created a fair amount of buzz is a built-in biometric fingerprint reader, which can be used to unlock the phone or confirm iTunes purchases in place of a PIN or passcode.

That’s probably true but there is another side to consider. There’s a reason (in fact, there are many) why biometric systems haven’t replaced passwords universally and one of those is the potential for impersonation. One would think that since fingerprints are unique that this would be a great way to authenticate people but it turns out that they can also be faked.

This is not new news. In May 2002 (that’s over a decade ago for those of you keeping score at home),  Tsutomu Matsumoto, a researcher from Yokohama National University, demonstrated how he could fool fingerprint readers about 80% of the time using $10’s worth of commonly available materials. Here’s a link to the presentation with some nice graphics:

Fast forward to September 2013 and Apple’s Touch ID comes onto the scene and I begin the countdown clock to when someone will pull off a similar attack. Not surprisingly, it didn’t take long. Within 2 weeks this video from the Chaos Computer Club (CCC) surfaced which shows a successful impersonation attack.

I won’t go into the details here but here’s a quick description from And if you’re wondering just where someone might be able to get the fingerprints from the authorized user in order to duplicate them, take a closer look at the CCC video and pay close attention to what the iPhone’s screen looks like when it’s turned off — fingerprint heaven.

So, should we give up on biometrics and declare Touch ID a failure. Maybe not. Apple says that  roughly half of iPhone owners don’t even bother to set up a PIN to protect their devices due to the inconvenience of having to enter it (which is great news for thieves). So, even if Touch ID isn’t perfect (and no biometric system ever will be), the fact that it is so much simpler to use than passcodes means that, hopefully, more people will use it and, therefore, security will be improved since even a relatively weak biometric is more secure than a stock phone with no PIN at all.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s