Apple is best known for its Touch ID feature—a security feature they proudly boast of that promises to keep data secure. While this may seem so for Apple, there is a hacker who believes he can perform a hack without the need for a physical fingerprint.
During this year’s Chaos Computer Club Convention, a hacker who goes by the name of Starbug (Jan Krissler) has unveiled that he could use a fingerprint captured from an iPhone device. With this fingerprint, Krissler believes that he could fool an iPhone into thinking that he is its rightful owner. At the convention, Krissler demonstrated how fingerprints can be generated with the help of a number of ordinary photographs from someone’s finger.
As earlier reported by VentureBeat, Krissler demonstrated his point by using the photograph of German Defense Minister Ursula von der Leyen as a sample on how he could generate a fingerprint.
Krissler said he used commercially available software called VeriFinger to pull off the feat. The main source was a close-up picture of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles to get an image of the complete fingerprint.
While this is something that Krissler believes is possible, he has failed to demonstrate how the two approaches could be combined to produce a photographed fingerprint that would apparently fool Touch ID. Even if he would be able to do this, it is perceived that the attack method would be non-trivial. On the video last year, the approach demonstrated that it would need 30 hours of work to pull off in one go. This would require a subsequent number of hours to accomplish.
Despite this imposing threat to iOS users, Apple believes that it is a concern that average iPhone users should not worry about. Considering that the hack would require a significant amount of time, skill, effort and equipment, it would not be wise to attack just about anyone.
Even if Krissler would be successful at this, Apple would still continue to improve the reliability and security of the sensor on their products.