Remember when Apple’s iPhone 5S fingerprint sensor or in other words TouchID was hacked? Well history is repeating itself because the Apple TouchID fingerprint security scanner on the new iPhone 6 has been hacked by security researcher with the same method he used for hacking the touchID of iPhone 5S.
The difference between now and then is that TouchID fingerprint security scanner on the new iPhone 6 is an essential part of Apple’s upcoming mobile payment service. The researcher behind the hack is Marc Rogers from the Lookout.
To hack the touchID of iPhone 6 Marc created a fake set of fingerprints to trick the scanner (note: this is the same technique used by researcher to hack touchID of iPhone 5S last year). After scanning the fingerprint it was found out that the iPhone 6 lacks the ability to set a timeout for TouchID, which would force the user to enter a passcode as a secondary measure. The lack of the key security feature opens the device up to brute-forcing, giving an attacker multiple attempts to defeat the sensor.
“There has been little in the way of measurable improvement in the sensor between these two devices (iPhone5s and iPhone6. Fake fingerprints created using my previous technique were able to readily fool both devices,” said Rogers in a blog post.
The hardest part of any hack venture is to create a perfectly working fingerprint. Rogers utilized superglue along with fingerprint powder for retrieving the print. Special finger print tape is also very helpful in this regard. In the new iPhones, ditching the advanced fingerprint sensor technology was much difficult than before, reveals Rogers while discussing his latest attempt. Also, he found out that when fingerprints were entered for conducting these tests, the sensor’s scanning procedure required a wider area and much higher resolution. This provided the sensor enhanced reliability and minimized the incidence of false negatives when an authentic user tries to access the device.
It was revealed at Apple’s annual event on September 9th, that in Apple Pay (mobile-payment technology), the built-in fingerprint sensor is a critical element. The company believes that its mobile payment service, which is slated to be launched in October, will allow users of iPhones 6 and 6+ to use their smartphones for making transactions. It will eliminate the requirement of credit card numbers and thus, will reduce the occurrence of various scams.
So far, 200,000 plus merchants and numerous high profile card-issuing banks and credit card brands have agreed to aid this new payment service. However, security experts assert that apparently it may reduce credit card frauds, but in the long run it is likely to increase the risks of targeted attacks on users of Apple Pay service.
In conclusion, Rogers stated that while the built-in fingerprint sensor offers enough security for unlocking the iPhone but it is a very strong security controlling feature for managing mobile payments.
Rogers explained that:
“I can’t help but be a little disappointed that Apple didn’t take this chance to really tighten up the security of TouchID, especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments.”
Analysts from the industry and solution providers affirm that the Apple Pay rollout has adequate potential for transforming the payment industry since it will eliminate use of credit card numbers. It is important that wider array of merchants adopt and endorse this new mechanism of mobile payments by iPhone. Avivah Litan, VP and analyst at a research firm Gartner, stresses on the fact that merchants will ultimately have to embrace this new technology introduced for iPhone users because it offers convenience and reliable security.
“Just like its predecessor, the iPhone 6’s TouchID sensor can be hacked. However, the sky isn’t falling. The attack requires skill, patience, and a really good copy of someone’s fingerprint – any old smudge won’t work. Furthermore, the process to turn that print into a useable copy is sufficiently complex that it’s highly unlikely to be a threat for anything other than a targeted attack by a sophisticated individual.”