I'll be honest: I'm getting kind of tired of seeing words like "easy" and "simple" being used to describe the ridiculous how-to videos showing that it's possible to trick the Touch ID sensor on the iPhone 5s into believing you're someone you're not. The latest in what is sure to be a never-ending string of "me too!" hackers claiming they have figured out the best way to fool the iPhone is SRLabs, though I'm not seeing how this could possibly be categorized as "easy."
Here's a list of the steps to pulling off this spoof (you can check out the process used by the Chaos Computer Club on TUAW original article regarding the trick).
- First, snap a photo of a perfect print from the finger that will unlock the device. Without the victim knowing, of course.
- Use digital photo software to separate the print from the rest of the image and then "retouch as required." If your spouse or nosy friend has recently been taking Photoshop classes, this might be why.
- Print the image of the fingerprint on translucent plastic using black toner.
- Place the image of the print over a piece of photo-sensitive copper circuit board and then expose it to intense UV lighting. The folks from SRLabs used a face tanner for this. You have one or two of those laying around, right?
- Develop the circuit board in a bath of Sodium Carbonate Monohydrate or Potassium Carbonate. You know, just whichever one you have in the pantry.
- Etch the fingerprint into the copper by placing the copper board into an etching solution.
- Cover the print mold with graphite spray to help spoof the capacitive properties of a normal human finger.
- Cover the print in wood glue, let it dry, and then peel it from the mold.
- Oh, and the most important step of them all: Steal the phone from the victim, without them knowing it. If they find that their phone has been stolen, they can remotely wipe the device, which would mean you just did a lot of hard work for nothing.
- Then unlock the device. You only have a few attempts to do this correctly, because if you fail multiple times in a row the device will demand the numeric passcode and your plan is foiled.
- Easy! Right? RIGHT!?
Seriously though, every time one of these groups comes forward with another slightly tweaked method for fooling Apple's top-of-the-line smartphone, I can't help but think how much easier it would be to just steal the phone in broad daylight and then torture the owner into unlock it themselves. If there's anything on your phone that would warrant someone to go through these insane steps to breach its security features, you should probably be using a 20-digit passcode and keep your phone within your grasp at all times.
Touch ID isn't infallible, but it's better than a 4-digit passcode (which can be brute-forced in less than an hour or simply spied by someone peeking over your shoulder), and it's clearly better than no security at all, which is how many consumers use their phones every day.
Data source: via TUAW (By Mike Wehner)
Post a Comment