Apple’s shiny new iPhone 6 can be spoofed with the same fake fingerprints that tricked its older sibling, the iPhone 5S.
That's according to mobile security firm Lookout, which said it discovered that it is possible to create a fake fingerprint that's capable of fooling the TouchID fingerprint sensor of the latest iPhones (6 and 6 Plus are apparently equally vulnerable).
Despite the addition of secure payment app Apple Pay to the iPhone 6, the in-built security hasn’t evolved enough over the last year, the securobods warn. iPhone users are still vulnerable to the exact same security flaw as a year ago. The main difference is that now, with Apple Pay, the bad guys have more incentive to abuse access to an iPhone.
The central problem is that the iTouch fingerprint scanner on both the iPhone 5S and iPhone 6 can be fooled with a cloned fingerprint lifted from a shiny surface and recreated using glue.
Germany's Chaos Computer Club was the first to crack Apple's TouchID fingerprint lock, a trick replicated by Lookout last September and replicated this week on newly released iPhone 6s.
"Sadly there has been little in the way of measurable improvement in the sensor between these two devices," explains Lookout researcher Marc Rogers in a blog post. "Fake fingerprints created using my previous technique were able to readily fool both devices."
"Furthermore there are no additional settings to help users tighten the security, such as the ability to set a timeout for TouchID after which a passcode must be entered. In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part."
Lookout advocates the use of a passphrase or PIN code, in conjunction with fingerprint recognition, in order to add two-factor authentication. Apple may be right to say that people are looking for convenient payment methods, but that cannot come at the cost of security, the mobile security firm concludes. Rogers said the hack would require a measure of "skill, patience, and a really good copy of someone’s fingerprint" that would probably make it unsuitable for opportunistic cybercrooks.
"Just like its predecessor – the iPhone 5S – the iPhone 6’s TouchID sensor can be hacked," Rogers concludes. "However, the sky isn't falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint - any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual." ®