Soon after Apple unveiled the iPhone 5s last year, the first of its iPhones to sport a fingerprint scanner embedded in the Home button, researchers proved the security measure could be bypassed as long as an attacker managed to somehow replicate the fingerprints of an iPhone 5s owner. Marc Rogers, one of the same people who hacked Touch ID last year, is now back with a similar trick that works on both the iPhone 6 and iPhone 6 Plus, even though both devices sport better fingerprint scanners than the iPhone 5s.
Rogers created fake fingerprints using the same technique as last year and tested them against the iPhone 6’s fingerprint scanner. The fake fingerprints still managed to fool the sensor into unlocking the device, but Rogers says the fake fingerprint has to be of great quality to work.
“Another sign that the sensor may have improved is the fact that slightly “dodgy” fake fingerprints that fooled the iPhone 5S did not fool the iPhone 6,” he wrote. “To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it. None of these are challenging details for a researcher in the lab, but are likely to make it a little bit harder for a criminal to just ‘lift your fingerprint’ from the phone’s glossy surface and unlock the device.”
In other words, an attacker using this particular technique to break into an iPhone should first be able to pick up the targets fingerprints, then guess which one is used to unlock the device, and then create a great fake copy to fool Apple’s sensor. So in most cases, this might prove to be too much for your average criminal.
“The fact that Apple has tweaked the Touch ID sensor a little bit means that they are working to improve things, even if those changes are primarily focused on making it easier to use. As it stands, Touch ID remains an effective security control that is more than adequate for its primary purpose: unlocking your phone,” Rogers said, adding that Apple should have “really tighten up the security of Touch ID” especially because it’ll now also protect Apple Pay transactions.