By now you've all probably seen the video that is currently making its way around the web claiming to show how easy it is to fool the Touch ID sensor on the new iPhone 5s. In it, a shaky-handed individual uses what appears to be a thin film of some sort to trick his phone into thinking he was using his correct finger, when in fact he wasn't. It's important to note that we're still waiting on the video showing the actual process -- which is obviously the more important part -- but for the moment we'll give the videos creators the benefit of the doubt.
Certain corners of the tech blogosphere are reporting this as an "easy" trick, and even the original posting on the Chaos Computer Club website refers to the trick being pulled off "using easy everyday means." Again, assuming this trick is legitimate, let's take a look at the list of items are required to pull it off:
- A perfect print (on a reasonably flat and clean surface) from the correct finger needed to unlock the device.
- Superglue (which must be fumed to allow adherence to the print itself).
- A high-quality digital camera capable of capturing photos with 2400 dpi resolution.
- An image editing program to "clean up" the print and make it useable (and the knowhow to pull this off).
- A sheet of printable clear plastic.
- A printer that can both print in 1200 dpi and has a special "thick toner" setting.
- Liquid latex (or wood glue) along with a few drops of glycerine to smear over the printed image. You then have to breathe on the fake print to give it just enough moisture to be read.
- Oh, and you also need the phone itself, which you'll need to obtain without the target knowing (or they can remotely wipe the phone in an instant).
If you're missing just one of these things, you're out of luck. On top of that, the iPhone 5s automatically asks for your passcode after five failed finger unlock attempts, and you can't proceed without it at that point. For extra security, it also has a setting that will wipe the device completely after 10 failed
finger unlock passcode unlock attempts. You better make that print flawlessly the very first time, or it's game over.
It's a fingerprint, not an iron cage
As Apple noted at the iPhone 5s reveal event, the company's figures show that half of iPhone owners don't use any security measures on their devices whatsoever. Touch ID is designed to change that. Is Touch ID more secure than no passcode? Of course it is. Is it more secure than the standard 4-digit passcodes many people use (which can be brute-forced in less than an hour)? I'd argue that yes, it is.
But if you're storing nuclear launch codes on your iPhone, you're probably going to want to go with the 20-digit code route or, you know, just not let your phone out of your sight.
Touch ID is not faultless, and although using a finger you chopped off a friend isn't likely to work, there are techniques that almost certainly can fool it. Apple likely over-promised, with the talk of "sub-epidermal" scanning, but this doesn't mean biometrics is dead -- at least not anymore than my home door lock is dead because someone can photograph my key and then make a copy in 10 minutes at the local Walmart.
It's a new security option, and it's an extremely convenient and secure one, even if your spouse has access to a high-end printer, liquid latex and takes Photoshop classes in her spare time. Stop worrying. Your text messages and Facebook updates are safe.
[Image credit: gfairchild]