A Quick Response on the Great Touch ID Spoof

By Rich

Hackers at the Chaos Computer Club were the first to spoof Apple’s Touch ID sensor. They used existing techniques, but at higher resolution. A quick response:

  • The technique can be completed with generally available materials and technology. It isn’t the sort of thing everyone will do, but there is no inherent barrier to entry such as high cost, special materials, or super-special skills. The CCC did great work here – I just think the hype is a bit off-base.
  • On the other hand, Touch ID primarily targets people with no passcodes, or 4-digit PINs. It is a large improvement for that population. We need some perspective here.
  • Touch ID disables itself if the phone is rebooted or you don’t use Touch ID for 48 hours (or if you wipe your iPhone remotely). This is why I’m comfortable using Touch ID even though I know I am more targeted. There is little chance of someone getting my phone without me knowing it (I’m addicted to the darn thing). I will disable Touch ID when crossing international borders and at certain conferences and hacker events.
  • Yes, I believe if you enable Touch ID it could allow law enforcement easier access to your phone (because they can get your fingerprint, or touch your finger to your phone). If this concerns you, turn it off. That’s why I intend to disable it when crossing borders and in certain countries.
  • As Rob Graham noted, you can set up Touch ID to use your fingertip, not the main body of your finger. I can confirm that this works, but you do need to game the setup a little. Your fingertip print is harder to get, but still not impossible.

Not all risk is equal. For the vast majority of consumers, this provides as much security as a strong passcode with the convenience of no passcode. If you are worried you might be targeted by someone who can get your fingerprint, get your phone, and fake out the sensor… don’t use Touch ID. Apple didn’t make it for you.

PS: I see the biggest risk for Touch ID in relationships with trust issues. It wouldn’t shock me at all to read about someone using the CCC technique to invade the privacy of a significant other. There are no rules in domestics…

No Related Posts

I am not worried at all about TouchId hacked and planning to use it without restrictions.  CCC only proves to me that Apple got it right because the sensor reads back the fingerprint perfectly. Now, one fingerprint read is like one digit used as a password. So, a hacker needs to have your 10 fingerprints and know which finger you use as password.
Apple can soon use fingerprint as decimal value to create password. 
A 4 decimal number as password can be replaced by a sequence of 4 fingerprints.  Thus, having the fingerprints of someone is equal to knowing the 10 digit of the decimal system.  In order to hack, you will need the 4 fingers used and the sequence. 
In the meantime, I plan to use 2 fingers as one and so having my fingerprints will mean nothing.

By Marc E Gracieux

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.