Apple fans expecting their new iPhone 6 to be secured from the kind of vulnerabilities which, theoretically, could let a stranger access their device, were left disappointed this week as researchers claimed the smartphone giant had done little to remove a security blind spot.
Marc Rogers, a security researcher from mobile security vendor Lookout, claimed in a blog post that he was able to use exactly the same technique that cracked the iPhone 5’s TouchID fingerprint sensor a year ago to access the iPhone 6.
“Sadly there has been little in the way of measurable improvement in the sensor between these two devices,” he said. “Fake fingerprints created using my previous technique were able to readily fool both devices.”
It must be said that the to carry out such a “hack” requires a convoluted process whereby the attacker must use a laser-printed image of the enrolled fingerprint, create a mould of the fingerprint using pink latex milk or white woodglue, and then apply it to the sensor.
Such a long, drawn-out affair will probably deter most cash-hungry cyber-criminals.
However, Lookout’s Rogers said he was disappointed that no attempt had been made to improve IDTouch security, including “the ability to set a timeout for TouchID after which a passcode must be entered.”
“In fact, it appears that the biggest change to the sensor is that it seems to be much more sensitive, which is made possible by a higher resolution scanning part,” he added.
“How do I know this? Well, during my testing I noticed that I got far less ‘false negatives’ with the iPhone 6 (false negatives are where the device rejects your legitimate fingerprint). However, it’s likely this is also aided by the fact that the iPhone 6 appears to scan a much wider area of your fingerprint to improve reliability.”
Rogers admitted that to subvert TouchID would require “skill, patience, and a really good copy of someone’s fingerprint.”
However, he expressed disappointment that the Cupertino giant hadn’t taken this chance to improve TouchID security given the increasingly expansive uses of the smartphone.
“Especially when you consider their clear intention to widen its usage beyond simply unlocking your phone into the realm of payments,” Rogers said. “Convenient authentication for transactions is a great thing that could both improve user experience and security.”