iPhone 5s: Basic Fingerprint Replication Methods Stymied by TouchID Sensor
Today Apple formally launched the newest iteration of the iPhone family, the 5s and 5c.
The 5s, as most people likely know by now, contains a new biometric fingerprint reader known as TouchID. TouchID’s initial implementation allows iPhone users to simply touch their finger to the home button and the phone will unlock, negating the need for a user to input a passcode.
Like many other in the security and hacking world, I’ve been anxiously awaiting today in order to see just how great TouchID is.
In the first few hours of ownership, I can say it’s pretty impressive: when an enrolled finger is set up properly, unlocking the phone is fantastically easy - compared to earlier iterations of fingerprint scanners in notebooks, especially those that require you to “roll” your finger over the sensor, the TouchID sensor is light years ahead of them.
Let’s take a look at the phone and the initial setting up of TouchID!
Here’s the new phone still sealed in its box, ready for hackers and researchers all over the world to take a deep look inside.
The phone in the box. Nothing new or out-of-the-ordinary here: virtually identical to the iPhone 5 packaging. Of course, iOS 7 is clearly displayed on the box. Accessories are the same, as well, including those (in my opinion) terrible headphones that never want to stay in my ears.
After plugging it in, inserting the SIM (which is required according to iTunes in order to unlock the phone), we’re ready to set up TouchID.
TouchID seems to want you to slightly place your finger on the sensor multiple times in order to get a good read at the various spots on your thumb - the sensor itself is quite small compared to your digit. There’s no way you could place it exactly the same way every time you pulled your phone out.
After enrolling my right thumb, which took around a minute to set up from start to finish, I tried it out. As advertised, it unlocked the phone almost instantly. I’ll admit, I was very surprised at how fast it worked.
Looking inside the settings pages for passcodes, we find the fingerprint settings page. Here you can enroll another finger or two, delete an existing print, and tell the phone you want to use your print for unlocking the phone, making purchases in the iTMS or App Store, or both.
Here’s the main security settings page:
Most things here are the same as a non-TouchID device running iOS 7, which disappoints me. I was really hoping Apple would allow you to enable true two-factor authentication on the phone, requiring both a fingerprint and a passcode. For now, they haven’t. Which I think is something they should look at adding in a future OS update… perhaps there’s something preventing that right now. Hopefully they’ll open up the API to third parties down the road and we’ll see the use of TouchID and the sensor greatly expanded.
Alright, so we’ve opened up the phone, set it up, enrolled a finger. Let’s see how TouchID fares against your basic attempts to clone a fingerprint!
I obtained a container of “Crazy Aaron’s Thinking Putty”, which is a Silly Putty-type putty that has had very tiny metal flakes added to it.
I made a couple molds of my right thumb, and mixed up some plain old gelatin with hot water at a 1:1 ratio, which for the most part emulates the conductivity of human skin. I was told by a biologist I know that gelatin has roughly the same conductivity as human skin because the proteins in gelatin are very similar and are arranged in a similar fashion. Makes sense to me: I think gelatin is made from leftover cow bits?
There’s the gelatin ready to pour. It sets very fast, especially when you toss it in the freezer… I had ready to go “fingers” in about 10 minutes.
First attempts to use the cloned fingers were quickly rebuked by the phone. TouchID did seem to recognize the gelatin as a “live” finger though: when pressing the fake finger against the sensor it quickly asked me to “try again”. After a few attempts to unlock the phone, the screen transitions to the keycode screen to give you the option of unlocking the phone via your code.
Alright, so that’s good - it appears the phone has some ability to defeat casual fingerprint cloning attempts.
But perhaps my initial molds weren’t perfect, or flawed in some way. Perhaps the air bubbles in the poured gelatin were causing some issues with the scanner getting a good read?
I mixed up another batch of gelatin, let it sit for a little bit to slightly harden and let any air in it to get out. Made another putty mold, and poured a much clearer fake thumb:
You can see that this pour was much “cleaner” than my first attempts.
How did it do against the sensor? Take a look:
Same as before - TouchID wasn’t happy.
Alright, well, what now? Perhaps we can fool it by creating a thumb “skin” that I can place over my left thumb and use.
Same as before, no dice:
I also “hollowed” out a previously-used “thumb” to place on my thumb to attempt a successful scan, same thing, no go:
I also used some of the metalized putty itself in an attempt to unlock the phone - I made a thumb mold and carefully flipped it around. I tried to unlock it that way:
What was interesting here is that the “print” remained largely intact on the mold. Also, the putty left a residue on the sensor that made my legitimate, real thumb hard for the sensor to read and unlock:
After a good cleaning, I was able to use my enrolled thumb again to unlock the phone. Also interesting to note: you can’t scan your thumb over a piece of plastic, like you’d expect if you placed your phone inside a waterproof or water-resistant case, like the OtterBox. It won’t scan. This is an interesting dilemma for case makers: can they make a 5s case to their element-resistant specifications that allows TouchID to work?
Another interesting tidbit here is that it appears that the stainless steel conductivity ring IS fooled by a gelatin finger, based on both the phone asking you to “try again” - implying it’s detecting a print, just not yours - and the “unrecognized print” error message on the keycode unlock screen… which means if we can determine exactly what is being scanned by the sensor, it may be defeatable.
So what’s next?
Over the next couple of days, I expect to see a lot of people much more skilled than me reveal some of their findings - perhaps someone will come up with a method that works.
I plan on trying to make fingers that emulate someone with higher melanin content in their skin - perhaps the transparency of the gelatin is being detected by the sensor? I’ll also attempt to lift a couple of prints via the superglue vapour method and transfer them to photosensitive copper plating.
For now, TouchID remains safe against my attempts.
Update 1 (20 Sep 1620 PDT): I have been able to successfully enroll a “fake” finger and get it to unlock the phone. This implies that the sensor isn’t scanning subdermally, but like many other sensors, is using the microscopic differences in the epidermal thickness to generate the fingerprint calculation. This is a pretty big deal, as it means the sensors used believe a gelatin finger is a real one.
Update 2 (20 Sep 1645 PDT): I made another cloned thumbprint - this time I added a packet of soy sauce to the mixture, for a few reasons:
The salt in the sauce should make the gelatin slightly more isotonic, which may help the read. I don’t think this matters, as the sensor is able to read the non-salty gelatin thumb.
The darkness of the soy sauce might help with the read. Again, I don’t think this matters.
I’m tired of eating tasteless gelatin! ;)
Regardless, it didn’t work - I tried a “thin” print and a “thick” print:
I really think the biggest issue here is that I’m not getting a “good enough” replicated print to fool the sensor. The vapour deposition method may have greater success. I have faith that someone is going to be able to fool the sensor soon enough.
Update 3 (21 Sep 1624 PDT): Ready for an evening of fingerprint fun. Wish me luck!