Touch ID Hacked Only 48 Hours After Release

Sue Marquette Poremba
Slide Show

Must-Know Facts Every Mobile User Should Know About Security

Well, that didn’t take long.

The much-heralded Touch ID on the new iPhone 5S has allegedly been hacked by a group of German hackers. It took all of 48 hours after the phone went on sale.

Now, admittedly, this was no random hack. The German group known as the Chaos Computing Club, one of the oldest hacking groups in the world, claims to have successfully hacked the security feature. A contest hosted by the site saw folks chipping in to pay a reward to the first person or group to hack Touch ID and provide proof. The site posted that the German group claims to have performed the hack, but video proof has yet to be posted.

However, I think the only surprise about the news of this hack was how quickly it happened. Almost every security expert I spoke with in the days after the news of Touch ID broke was skeptical about the security of the technology. Dirk Sigurdson, director of engineering for Mobilisafe at Rapid7, told me just after Touch ID was introduced that Apple has been known to release flawed versions of its pass code locking feature and that it would be likely that vulnerabilities to such security techniques would continue to be an issue.

In addition, Kevin O'Brien, an enterprise relevant products/services solution architect at CloudLock, shared this thought with, after the hacking contest was announced:

‘The two primary mechanisms of defense here are that the fingerprint data is being stored in hashed form, and that the data is being stored in a supposedly secure portion of the device. Neither offers any real security.’

In fact, GigaOm explained just how easy it was to hack the fingerprint sensor using fake fingerprinting tactics.

Still, for security, I am a big fan of biometrics, but I’m also an avid promoter of multi-factor authentication. I believe the Touch ID should have been set up to begin with—with multiple means of security. Passwords alone don’t provide enough security, as we’ve found out over the years, but if you can couple it with other methods such as a fingerprint scanner, you’ve made security even tighter.

Add Comment      Leave a comment on this blog post
Sep 26, 2013 3:42 AM Polly GGR Polly GGR  says:
Great blog Sue and you are right - the surprise is not the hack but the speed and perhaps the publicity that the hack has received across the mainstream media. No-one believes any new security feature is hack proof if someone or a group is really determined. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.