BERLIN (AP) — The fingerprint-based security system used to unlock Apple’s latest iPhone can be bypassed using a household printer and some wood glue, a German hacking group has claimed.
A spokesman for the Chaos Computer Club said the group managed to fool the biometric sensor in the iPhone 5S over the weekend by creating an artificial copy of a genuine fingerprint.
“It was surprisingly easy,” Dirk Engling told The Associated Press in a telephone interview Monday, a day after the group announced the exploit on its website.
A member of the Chaos Computer Club going by the pseudonym Starbug took a high-resolution photograph of a fingerprint left on a glass surface, printed it onto a transparent sheet and smeared the pattern with liquid latex or wood glue. Once the glue set, it could be peeled off and placed on another finger to mimic the genuine print, said Engling.
“We used this method 10 years ago and didn’t have to change much for the iPhone,” he said. “The hardest bit was getting hold of one of those new iPhones because they are chronically sold out.”
Engling said the Chaos Computer Club, which has a long history of finding security flaws in soft- and hardware, documented the procedure with several videos so independent experts could verify it.
David Emm, a senior security researcher at Kaspersky Labs, said the German group’s claims exposed the flipside of biometric security systems designed to replace passwords or PIN numbers commonly used nowadays.
“If my passcode becomes compromised, I can simply replace it with a new one — hopefully one that’s more secure. But I can’t change my fingerprint — it’s part of what I am and so I’m stuck with it,” Emm said.
Engling suggested that Apple could have made its fingerprint system more secure, but that this might have caused problems for users if they didn’t swipe their finger across the miniature scanner properly and thus got locked out of the device after repeated failed attempts.
“Apple had to strike a balance between security and user-friendliness,” he said.
Apple didn’t respond to repeated requests for comment.
Frank Jordans can be reached at http://www.twitter.com/wirereporter