Just days after the iPhone 6 and iPhone 6 Plus went on sale, a security researcher has managed to ‘hack’ the new, improved Touch ID sensor. Except, despite what the fear-mongering report from the International Business Times might have you believe, this ‘hacking’ poses absolutely no risk to any iPhone owner whatsoever.
According to the report, a “vulnerability allows a would-be attacker to spoof your identity using an artificial fingerprint to unlock your iPhone 6 or make purchases via Apple’s various digital stores (such as iTunes)” or even Apply Pay. It is this kind of assertion that has people panicking. When it is true, it is worth reporting in this manner. When it is a blatant exaggeration for the sake of page views, then it is poor journalism.
Emphasising “little measurable improvement” between Touch ID in the iPhone 5s and the 2014 iPhones, IBT paints a picture of a disappointing Touch ID sensor.
However, the original source Marc Rogers on the Lookout blog is not quite so negative about the fingerprint reader in a piece titled “Why I hacked TouchID (again) and still think it’s awesome”:
…it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part. How do I know this? Well, during my testing I noticed that I got far less “false negatives” with the iPhone 6 (false negatives are where the device rejects your legitimate fingerprint). However, it’s likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your fingerprint to improve reliability.
Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6. To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just “lift your fingerprint” from the phone’s glossy surface and unlock the device.
In conclusion, Rogers wrote:
Just like its predecessor — the iPhone 5s — the iPhone 6’s TouchID sensor can be hacked. However, the sky isnt falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual. I’ll reiterate my analogy from my last blog on TouchID: We use locks on our doors to keep criminals out not because they are perfect, but because they are both convenient and effective enough to meet most traditional threats.
The fact that Apple has tweaked the TouchID sensor a little bit means that they are working to improve things, even if those changes are primarily focused on making it easier to use. As it stands, TouchID remains an effective security control that is more than adequate for its primary purpose: unlocking your phone.
So there you have it — the researcher himself isn’t declaring that the iPhone 6′s Touch ID is vulnerable to attacks. In fact, he’s arguing quite the opposite.
If someone has to have access to your phone, a detailed copy of your fingerprint and all the required materials and expertise to create a fake fingerprint in order to access the device, I’d say it’s pretty darn secure. Why wouldn’t the would-be thief just force you to unlock the phone rather than go through all of this effort?
Touch ID is an incredible piece of innovation both for its added security and convenience of unlocking your device and authorizing purchases. It’s biometric security on a massive scale that is easy to understand, set up and use while remaining reliable.
If only every phone manufacturer could create devices this “easy” to hack.