One of the biggest new additions to the iPhone 5S, the Touch ID sensor, has been hacked by the Chaos Computer Club using high resolution photographs of a fingerprint.

iphone touchID Hackers use photographed fingerprint to get past TouchID on iPhone 5S

Two weeks ago when Tim Cook took centre stage during the iPhone event, the world saw not one but two new iPhones announced. The higher end of the two models is the iPhone 5S, based on last year’s iPhone 5. Being an “S” upgrade, the iPhone 5S does not offer anything different in terms of design. Most of the changes were made under the hood. In fact the only way to spot the difference between the two is by recognising the two-toned flash, and the all new home button which now doubles as a TouchID sensor. Apple made big claims about the security of the TouchID sensor during the event, something which hackers apparently didn’t take too kindly to. Taking upon themselves, the hackers at Chaos Computer Club have figured out a method to bypass the TouchID sensor.

You can watch a video demonstration on this YouTube video (embedding disabled).

The biometrics hacking team claims that the sensor Apple uses for the TouchID is of a higher resolution than most conventional fingerprint sensors, which evidently makes “fooling” it more difficult than usual. CCC has outlined the following method they’ve come up with.

First, the fingerprint of the enroled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone.

It’s certainly a very elaborate method. Under “normal” circumstances we feel it would be impossible for someone to get a high resolution picture of our finger without our knowledge. The method is more of a proof of concept than an actual security risk.

Source: CCC