The Touch ID security technology implemented in the new iPhone 6 models from Apple is vulnerable in the same way as demonstrated last year on iPhone 5S, allowing an individual to bypass verification with a fake fingerprint created from regular glue.
The technology is currently used to authenticate the owner of the device during the unlock process, as well as for approving purchases in Apple's digital stores.
After cloning a fingerprint used to lock iPhone 5S and 6 devices, security researcher Marc Rogers from Lookout successfully unlocked both phones (check the video below), albeit he noticed some improvements in the latest model.
He relied on the same fingerprint cloning technique used for the experiment on the 5S model last year.
Rogers says that the first step is to acquire the fingerprint, which has to be clear of any smudges; a high resolution camera is also necessary for an accurate image that is then printed without any distortion, with high toner density, so that the print stick out. The next step is to impress the print on a thin layer of glue.
The researcher noticed some improvements in the new sensor, as the scanning resolution is higher, experiencing greater accuracy at recognizing the real fingerprint.
Moreover, during his experiment, the success with more flawed cloned fingerprints on iPhone 6 was smaller than on the 5S device, which points to the conclusion that the clarity of the print has to be higher in order to fool the Touch ID sensor.
“To fool the iPhone 6 you need to make sure your fingerprint clone is clear, correctly proportioned, correctly positioned, and thick enough to prevent your real fingerprint coming through to confuse it,” Rogers says in a blog post.
Despite successfully unlocking the device with a fake fingerprint of the iPhone’s owner, Rogers says that reproducing the experiment in the wild is unlikely to be a success because there are plenty of challenges that can be overcome in the lab, “but are likely to make it a little bit harder for a criminal to just ‘lift your fingerprint’ from the phone’s glossy surface and unlock the device.”
“The attack requires skill, patience, and a really good copy of someone’s fingerprint — any old smudge won’t work. Furthermore, the process to turn that print into a usable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual,” he adds.