Well, that didn’t take long.
The much-heralded Touch ID on the new iPhone 5S has allegedly been hacked by a group of German hackers. It took all of 48 hours after the phone went on sale.
Now, admittedly, this was no random hack. The German group known as the Chaos Computing Club, one of the oldest hacking groups in the world, claims to have successfully hacked the security feature. A contest hosted by the site IsTouchIDHackedYet.com saw folks chipping in to pay a reward to the first person or group to hack Touch ID and provide proof. The site posted that the German group claims to have performed the hack, but video proof has yet to be posted.
However, I think the only surprise about the news of this hack was how quickly it happened. Almost every security expert I spoke with in the days after the news of Touch ID broke was skeptical about the security of the technology. Dirk Sigurdson, director of engineering for Mobilisafe at Rapid7, told me just after Touch ID was introduced that Apple has been known to release flawed versions of its pass code locking feature and that it would be likely that vulnerabilities to such security techniques would continue to be an issue.
In addition, Kevin O'Brien, an enterprise relevant products/services solution architect at CloudLock, shared this thought with CIO.com, after the hacking contest was announced:
‘The two primary mechanisms of defense here are that the fingerprint data is being stored in hashed form, and that the data is being stored in a supposedly secure portion of the device. Neither offers any real security.’
In fact, GigaOm explained just how easy it was to hack the fingerprint sensor using fake fingerprinting tactics.
Still, for security, I am a big fan of biometrics, but I’m also an avid promoter of multi-factor authentication. I believe the Touch ID should have been set up to begin with—with multiple means of security. Passwords alone don’t provide enough security, as we’ve found out over the years, but if you can couple it with other methods such as a fingerprint scanner, you’ve made security even tighter.