Touch ID on iPhone 6: Still hackable
Apple's recently released iPhone 6 is susceptible to the same fingerprint forging attack as the iPhone 5s, according to the latest security research.
Mark Rogers, principal security researcher for mobile security firm Lookout, used techniques which are well-known to police officials and prototypers to access the device.
The process involves lifting latent prints from the iPhone before creating a mould using a custom circuit-board kit. Then using glue, sometimes mixed with glycerol, Rogers was able to create a replica print that allowed him to trick the Touch ID sensor.
However, his experiments did suggest that Apple had improved the sensor, as it rejected fewer legitimate prints and slightly more fake ones than the iPhone 5s version, with Rogers suggesting that it wasn't easy to trick the iPhone 6's security systems.
"The process with both of them is exactly the same", he said. "I would not call it a walk in the park, because it took me roughly eight hours to do. Yet someone who is not doing this for research could probably complete the process in two or three hours."
The security flaw highlights the major weakness of Touch ID, namely that the information required to access the phone, the user's fingerprints, are left all over the device. With that being said, the fact that Apple limits the number of attempts to five means that that the feature is relatively secure.
"I was aided by the fact that I had unlimited attempts, and it took quite a few attempts to get any usable print", Rogers said. "It is not something that I would expect a street criminal to use".
However, with the company set to push its own payment service, Apple Pay, stealing an iPhone may become a far more lucrative proposition for thieves, which could cause more users to scrutinize the level of protection offered by Touch ID.
"We are talking about putting a lot of financial transactions though the iPhone, and that money will incentivize criminals to refine the process, and that could open up a scenario where there is risk to the consumers", Rogers added.
Published under license from ITProPortal.com, a Net Communities Ltd Publication. All rights reserved.