iPhone Biometrics Spoofed Again, Expert Still Loves Touch ID

Last year, shortly after the launch of Touch ID, Apple’s smartphone fingerprint sensor on the iPhone 5S, Marc Rogers spoofed it. In a blog post at the time, Rogers – principal security researcher at Lookout – explained why he did it, how he did it and why the post-password solution still had a place in his good books.

Touch ID

Shortly after the release of the iPhone 5S, Touch ID was spoofed by a German hacking group named Chaos Computing Club. Since then, liveness detection has been at the top of the smartphone biometrics wishlist

A year later, we have been presented with two more iPhone models, each sporting a Touch ID sensor, and this time coming ready with a number of useful applications that can leverage a user’s fingerprint. Sure enough, Marc Rogers announced on the Lookout blog yesterday that he’s done it again, and he still thinks the fingerprint security on the iPhone is awesome.

“When the iPhone 6 came out the first thing I wanted to find out was whether or not there had been any changes to the TouchID sensor,” writes Rogers.

This was a concern on the minds of many identity management professionals considering that the increased range of Touch ID applications include the ability to make point of sale payments through the NFC powered mobile wallet, Apple Pay. No mention of improvement was made during the September 9 keynote, leaving the task of evaluating the security up to people like Rogers.

Using the same technique as last year, Rogers successfully spoofed his way past the iPhone 6’s sensor. Sadly, he reports that there is very little that suggests any kind of measurable security improvement. That’s not to say he didn’t find the process more difficult this time around: either due to higher resolution imaging or a larger scanning surface, the iPhone 6 models require a much higher quality fingerprint clone.

Rogers’ blog is a must read for those doubtful that consumer grade biometrics are an adequate password replacement for an iPhone’s lock screen.

“As it stands,” writes Rogers, “TouchID remains an effective security control that is more than adequate for its primary purpose: unlocking your phone.

It still can’t be denied that the lack of any significant Touch ID improvement is dissapointing. Though the sensor’s convenience and better than password security makes it a boon to consumers (especially with the reporting of lower false rejection rates), had Apple made a point of bolstering Touch ID this time around it would have gone a long way in opening up applications that require higher levels of assurance.

Now that Apple has competition in the smartphone biometrics space, it will be interesting to see if other OEMs that have invested in biometric security make a stronger point to offer improved security.

(Source: Mobile ID World)