The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner setting. Finally, pink latex milk or white woodglue is smeared into the pattern created by the toner onto the transparent sheet. After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone. This process has been used with minor refinements and variations against the vast majority of fingerprint sensors on the market.
I'm not surprised. In my essay on Apple's technology, I wrote: "I'm sure that someone with a good enough copy of your fingerprint and some rudimentary materials engineering capability -- or maybe just a good enough printer -- can authenticate his way into your iPhone."
I don't agree with CCC's conclusion, though:
"We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token", said Frank Rieger, spokesperson of the CCC. "The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access."
Apple is trying to balance security with convenience. This is a cell phone, not a ICBM launcher or even a bank account withdrawal device. Apple is offering an option to replace a four-digit PIN -- something that a lot of iPhone users don't even bother with -- with a fingerprint. Despite its drawbacks, I think it's a good trade-off for a lot of people.
EDITED TO ADD (10/13): The print for the CCC hack was lifted from the iPhone.
> Apple is trying to balance security with convenience. So why don't they try to balance input methods? All I can think now is (e.g.) a fingerprint reader with a simple pattern unlock. What they've done is gone to effectively single factor security (phones are left unattended periodically so possession is not really a security feature here).
> Various pundits are suggesting that the fingerprint security scheme will allow for "secure" payment transfers. Extremely this. Everyone assumes at first any security is perfect, and anything new is better than anything old, so all sorts of crazy things have been posited as a result of this biometric reader. Cards Radeon 5770 Amd Hd Ebay Graphics Computer Ati vRqPYwxq It is a key failing in the link between security and every other practice area in digital products. How do we get everyone to think about consequences. I mean, a lot more than "after 48 hours use your PIN anyway."
I agree that it's a good tradeoff versus for a lot of people, but I think the reaction to this is more about countering all the initial hype that Apple's fingerprint technology was better and more secure than other consumer-grade fingerprint technology. Clearly it wasn't, and most people didn't know that, and Apple was perfectly content to let them think it was.
And why the false choice between the fingerprint and a 4 digit PIN? If that was the only choice, wouldn't pointing out the inadequacy of both for some people be more appropriate? You can set a longer passcode on an iPhone. You can still use all digits if you prefer, and while I'm not an iPhone user myself, my understanding is that if you do that the iPhone will still just display a number pad for entry, so you won't have to deal with the full keyboard just to unlock it.
The fact of the matter is Bruce, like almost all of you out there, cannot deal w/ the awkwardness of pulling out your "flipper" "dumb" phone when someone asks you for your number. You are being socially controlled and your security is being compromised b/c of it; I only know of one adult whom I respect a lot who doesn't carry a cell on him at all. Think how much more aware of your surroundings you are and the day-to-day physical security is enhanced. Someone robs you they won't get a phone.
Given that Apple has rolled out ApplePay which links your credit card to their simple touch payment system, and many people also store most of their other personal data on their phones, enabling identify theft, being able to easily lift a print and use that to unlock their phone is definitely a major security concern.
I personally see banks liking Apple Pay because it can save them money on implementing PIN and CHIP credit card security. And combined with the thumbprint vulnerability, this will keep the US continue to be the top fraud target globally and with the lowest security standards.