A hacking group claims it has already found a way to bypass the fingerprint security on the new iPhone. But it’s highly questionable whether anyone would bother with these particular tactics on an ordinary user.
The German-based Chaos Computer Club claims the only security improvement the iPhone offers over previous fingerprint locks is to use an increased resolution, something that simply sets off an arms race.
The group says the first step in its hack was to take a photograph of the phone owner’s fingerprint from a surface such as a glass or a doorknob, if necessary using a colored powder or a superglue component to identify the print. The picture of the fingerprint needs to be at least 2,400 dots per inch.
They then cleaned up the image in a photo editing package, inverted it, then printed it onto a transparent sheet using a “thick toner” setting. The next step was to smear either white woodglue or pink latex milk onto the sheet, where it settled on the toner rather than the sheet material itself.
Once the glue or latex dried, it could simply be lifted up, moistened with breath, and placed on the iPhone sensor to unlock the phone. The group hasproduced a video showing the tactic in action.
It should be noted there are further limitations to such an attack, beyond the fact that you have to not only get hold of somebody’s phone but also get their fingerprint. If the phone is restarted, switched off completely and on again, or not used for 48 hours, the fingerprinting tool is put on hold and the phone reverts to a traditional four-digit pin.
That somewhat reduces the attack window and means a would-be hacker needs to at the least have thought carefully about how to get the fingerprint before they steal the handset.
Practical concerns aside though, the group is emphasizing its belief that fingerprints are a doubly-dangerous form of identification: they are reproduced on surfaces all the time and, once compromised, are inherently impossible to change or replace.
Apple has yet to comment on the hacking claims. However, a security researcher who offered a $16,000 bounty for the first successful hack has, after reviewing the video, paid out.
0 comments:
Post a Comment