(MoneyWatch) There's been a lot of attention on the iPhone's fingerprint reader -- called Touch ID -- since Apple revealed it and the technology began shipping in the iPhone 5s last week. And it didn't take long to get cracked.
Literally just days after the iPhone 5s began shipping, a hacker group called the Chaos Computer Club found a way to spoof the fingerprint reader and gain access to an iPhone.
Game over for TouchID, right? According to the Chaos Computer Club's blog, they "successfully bypassed the biometric security of Apple's Touch ID using easy everyday means." The blog goes on to say: "This demonstrates -- again -- that fingerprint biometrics is unsuitable as access control method and should be avoided."
On the face of it, this is bad news for Apple and for biometrics in mobile devices. But there's more to the story. First of all, the Touch ID chip wasn't directly hacked -- the hackers, in fact, never got at the fingerprint data stored on the iPhone. Instead, it was more of a traditional case of lifting prints and using an impression to trick the phone.
But wait -- didn't Apple say that approach wouldn't work? That's where it gets even more interesting. The hackers went to a fair bit of trouble to spoof the fingerprint reader. Here is the process, as described by the CCC blog:
"First, the residual fingerprint from the phone is either photographed or scanned with a flatbed scanner at 2400 dpi. Then the image is converted to black & white, inverted and mirrored. This image is then printed onto transparent sheet at 1200 dpi. To create the mold, the mask is then used to expose the fingerprint structure on photo-sensitive PCB material. The PCB material is then developed, etched and cleaned. After this process, the mold is ready. A thin coat of graphite spray is applied to ensure an improved capacitive response. This also makes it easier to remove the fake fingerprint. Finally a thin film of white wood glue is smeared into the mold. After the glue cures the new fake fingerprint is ready for use."
So, can Touch ID be hacked? Of course it can; it exists and was engineered by human beings, so we knew that it was hackable even before it was demonstrated by the Chaos Computer Club. The real question, though, is how easily can it be done? Based on this explanation, the answer appears to be, "not very easy at all." Indeed, it's probably far easier to hack a 4-digit passcode than to pull off this Mission Impossible-style fingerprint spoof.
And that's where the power of Touch ID becomes apparent. The iPhone's fingerprint reader makes it easy to secure your phone. So users who previously didn't use a passcode at all because it was inconvenient can now have a relatively secure login. And for users currently using a 4-digit passcode, they can enhance their security by turning it into a strong password instead, since they'll rarely, if ever, have to enter it manually.
After all, the passcode hasn't disappeared -- it's still available as an alternate means of access on the lock screen. Which method do you think a hacker will choose: Reverse engineering your thumbprint with $10,000 worth of hardware and a weekend of playing with latex impressions, or just guessing that you made your passcode "0000?"
Photo courtesy Apple